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(57) Abstract: A method and system for encrypting a first piece of information M to be sent by a sender (100) to a receiver (110) 
allows both sender and receiver to compute a secret message key using identity-based information and a bilinear map. In a one 
embodiment, the sender (100) computes an identity-based encryption key from an identifier ID associated with the receiver (110). 
The identifier ID may include various types of information such as the receiver's e-mail address, a receiver credential, a message 
identifier, or a date. The sender uses a bilinear map and the encryption key to compute a secret message key g r TDy which is then used 
to encrypt a message M, producing ciphertext K to be sent from the sender (100) to the receiver (1 10) together with an element rP. 
An identity-based decryption key djo is computed by a private key generator (120) based on the ID associated with the receiver and a 
secret master key s. After obtaining the private decryption key from the key generator (120), the receiver (110) uses it together with 
the element rP and the bilinear map to compute the secret message key g^ ID , which is then used to decrypt Kand recover the original 
message M. According to one embodiment, the bilinear map is based on a Weil pairing or a Tate pairing defined on a subgroup of 
an elliptic curve. Also described are several applications of the techniques, including key revocation, credential management, and 
return receipt notification. 
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ENCRYPTION AND RELATED CRYPTOGRAPHIC 

TECHNIQUES 



CROSS-REFERENCE TO RELATED APPLICATIONS 

This application claims the benefit of U.S. provisional application number 60/311946, 
filed 08/13/2001, which is incorporated herein by reference. 

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH 
OR DEVELOPMENT 

The present invention was made with the support of DARPA contract F30602- 
99-1-0530. The U.S. Government has certain rights in the invention. 

REFERENCE TO COMPACT DISK APPENDIX 
Not applicable. 

BACKGROUND OF THE INVENTION 

The field of the present invention relates generally to cryptographic systems. 

Public-key cryptographic systems allow two people to exchange private and au- 
thenticated messages without requiring that they first have a secure communication 
channel for sharing private keys. One of the most widely used public-key cryptosystem 
is the RSA cryptosystem disclosed in U.S. Pat. No. 4,405,829. The RSA cryptosys- 
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tern is currently deployed in many commercial systems. It is used by web servers 
and browsers to secure web traffic, it is used to ensure privacy and authenticity of 
e-mail, it is used to secure remote login sessions, and it is at the heart of electronic 
credit-card payment systems. In short, RSA is frequently used in applications where 
security of digital data is a concern. 

According to public-key cryptosystems such as the RSA cryptosystem, each person 
has a unique pair of keys: a private key that is a secret and a public key that 
is widely known. This pair of keys has two important properties: (1) the private 
key cannot be deduced from knowledge of the public key alone, and (2) the two 
keys are complementary, i.e., a message encrypted with one key of the pair can be 
decrypted only with the complementary key. In these systems, both the public key 
and the private key in a pair axe generated together as the output of a key generation 
algorithm that takes as input a random seed. Consequently, in these cryptosystems, 
people cannot choose a desired public or private key, but must simply use the keys that 
are generated for them by a key generation algorithm. This has the disadvantage that 
others cannot encrypt messages to a person until that person generates and publishes 
a public key. Another problem with this type of cryptosystem is that an impostor 
can publish a public key and claim that it belongs to someone else. To address 
this issue, a trusted certificate authority (CA) is used to authenticate individuals 
and certify to others that the individual's public key is authentic. Unfortunately, this 
adds complexity to the cryptosystem since a sender must obtain a certificate for every 
receiver, and must obtain a new certificate every time an existing certificate expires. 
It also requires receivers to create public keys, publish them, register certificates with 
the CA, and renew such certificates when they expire. 

In 1984 Shamir envisioned a new type of public key encryption scheme (described 
in A. Shamir, "Identity-based cryptosystems and signature schemes", in Advances 
in Cryptology - Crypto '84> Lecture Notes in Computer Science, Vol. 196, Springer- 
Verlag, pp. 47-53, 1984) . According to Shamir's scheme, a person's public key consists 
of a public identifier, which may be the person's name and network address, or combi- 
nation of name and e-mail address, social security number, street address, telephone 
number, or office address. Because the public key is the person's pre-existing public 
identifier (ID) rather than a key produced from a random seed, this kind of public key 
cryptosystem is called an identity-based encryption (IBE) scheme. Shamir, however, 
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did not provide a concrete, practical IBE cryptosystem. In fact, Shamir argued that 
existing cryposystems (such as RSA) could not be adapted to realize a secure IBE 
cryptosystem. 

In the years since Shamir proposed his IBE scheme there have been several at- 
tempts to realize an identity-based cryptosystem. Some proposals require that users 
not collude. Other proposals require the private key generator (PKG) to spend an im- 
practically long time for each private key generation request. Some proposals require 
tamper resistant hardware. 

In short, there remains a need for improved cryptographic methods and systems. 



SUMMARY OF THE INVENTION 

According to one embodiment of the invention, a method of encrypting a first 
piece of information to be sent by a sender to a receiver uses an encryption key 
generated from a second piece of information. A bilinear map and the encryption key 
are used to encrypt at least a portion of the first piece of information to be sent from 
the sender to the receiver. The bilinear map may be symmetric or asymmetric. The 
bilinear map may be based on a Weil pairing or a Tate pairing defined on an algebraic 
group derived from an elliptic curve. More generally, the bilinear map may be based 
on a pairing defined on algebraic varieties. 

According to one embodiment of the invention, encrypting the portion of the 
first piece of information can be completed prior to generating a decryption key 
corresponding to the encryption key. 

According to another embodiment of the invention, the second piece of information 
is known to the receiver prior to the generation of a decryption key corresponding 
to the encryption key. The second piece of information may comprise a character 
string such as an e-mail address, name or other identifier associated with the receiver, 
according to different embodiments of the invention. The second piece of information 
may also include, according to various embodiments, an attribute associated with the 
receiver or information corresponding to a time or times, such as a date or series of 
dates defining one or more time intervals. A decryption key may be provided based 
on a time that a request for the decryption key is received relative to the information 
corresponding to a time. According to other embodiments of the invention, the 
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second piece of information may include a message identifier, a credential identifier 
or a message subject identifier. 



According to another embodiment of the invention, a message key is generated 
from the encryption key using a bilinear map, and a cryptographic hash function is 
applied to the message key. 

According to another embodiment of the invention, encrypting the portion of 
the first piece of information includes generating a mask from the second piece of 
information using a bilinear map. The mask is applied to the portion of the second 
piece of information. 

An embodiment of the invention is directed to a method of decrypting ciphertext 
which has been encrypted by a sender using an identity-based encryption key associ- 
ated with a receiver. A decryption key derived from the encryption key is obtained. 
At least a portion of the ciphertext is decrypted using a bilinear map and the decryp- 
tion key. The bilinear map may be symmetric or asymmetric. The bilinear map may 
be based on a Weil pairing or a Tate pairing defined on an algebraic group derived 
from an elliptic curve. 

According to another embodiment of the invention, the ciphertext is obtained prior 
to creating the decryption key. According to another embodiment of the invention, 
the first piece of information is known to the receiver prior to obtaining the ciphertext 
and prior to obtaining the decryption key. The decryption key may be obtained by 
sending a request to a private key generator, including information sent together with 
the ciphertext. 

An embodiment of the invention is directed to a method of generating a decryption 
key corresponding to an encryption key. An algebraic group, a group action, and a 
master key are provided. The encryption key is generated based on a first piece of 
information. The decryption key is generated based on the group action, the master 
key and the encryption key. According to one embodiment of the invention, the group 
action is capable of being calculated in polynomial time. According to another aspect 
of the invention, generation of the decryption key in the absence of the master key 
would require greater than polynomial time. 

Another embodiment of the invention is directed to a method of providing system 
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parameters for a cryptographic system. Algebraic groups Gi and G 2 having an order 
q are provided, together with associated group actions. In addition, a bilinear map 
is provided that maps pairs of points in Gi to points in G 2 . In another embodiment, 
a system parameter representing a member P of G x> and a system parameter repre- 
senting a member P^ of G\ are provided, where P pu b is based on the group action 
of a master key s applied to P. According to other embodiments of the invention, a 
system parameter representing a set of one or more hash functions Hi, i?2, H3, or H4 
are provided. According to another embodiment of the invention, a system parameter 
representing a size n of a message space is provided. 

According to another embodiment of the invention, the bilinear map may be 
asymmetric or symmetric. In another embodiment the bilinear map is based on a 
Weil pairing or a Tate pairing defined on a portion of an elliptic curve. 

According to another embodiment of the invention, the algebraic group G\ is 
defined by an elliptic curve defined over a field of order p and the order q is less than 
the order p. According to another aspect of the invention, the length of p is at least 
1024 bits and the length of q is no greater than 160 bits. 

Another embodiment of the invention is directed to a method for managing cryp- 
tographic communication including generating shares of a master key. The shares 
are stored in separate systems. A request from a receiver to obtain a private key is 
responded to in the separate systems by generating from the respective shares of the 
master key, corresponding respective shares of the private key. The receiver constructs 
the private key from the shares of the private key, where the private key corresponds 
to identifying information of the receiver. 

Another embodiment of the invention is directed to a method for communicating 
between a sender and a receiver. A message to be sent from the sender to the receiver 
is encrypted, and the message is sent from the sender to the receiver. A request for 
a decryption key is received from the receiver of the message. After receiving the 
request for the decryption key, information indicating that the receiver has received 
the message is generated, and the decryption key is provided to the receiver. Accord- 
ing to an embodiment of the invention, a return address of the sender is included in 
the message, and an acknowledgment that the message has been received is sent to 
the return address. According to another aspect of the invention, an identification of 
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the message is included in an acknowledgment and the acknowledgment is sent to the 
sender. According to another aspect of the invention, the encryption key is derived 
based on a return address of the sender. 

Another embodiment of the invention is directed to a method for communicating 
between a sender and a receiver having a credential. Identifying information of the 
receiver is obtained. A credential required for the receiver to gain a decryption key 
is specified, and an encryption key is derived from the identifying information of the 
receiver and the credential. A message to be sent from the sender to the receiver 
is encrypted using the encryption key and a bilinear map, and the message is sent 
from the sender to the receiver. A request for a decryption key is received from the 
receiver of the message. It is determined whether the receiver has the credential, 
and if the receiver has the credential, the decryption key is provided to the receiver. 
The receiver then may use the decryption key and the bilinear map to decrypt the 
message. 

Another embodiment of the invention is directed to a method of communicating 
between a sender and a receiver involving storing a decryption key on a target system. 
Sets of decryption keys associated with times messages may be decrypted axe derived, 
and the decryption keys are stored on the target system. An encryption key is derived 
from a string associated with a time a message is to be decrypted. A message is 
encrypted using the encryption key. The message is received on the target system, 
and the message is decrypted using a bilinear map and the corresponding decryption 
key. 

Another embodiment of the invention is directed to a method of communicating 
between a sender and receiver involving entities having different responsibilities. A 
set of decryption keys is derived from a master key and a set of strings associated 
with different responsibilities. The decryption keys axe provided to entities having 
the respective responsibilities. An encryption key is derived from a string associated 
with one of the different responsibilities. A message to be sent from the sender to the 
receiver is encrypted using the encryption key and a bilinear map. An entity having 
a particular responsibility receives the message and decrypts the message using the 
respective decryption key and the bilinear map. According to one embodiment of 
the invention, the string corresponding to the particular responsibility comprises a 
subject line of an e-mail. 
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BRIEF DESCRIPTION OF THE DRAWING FIGURES 



FIG. 1 is a block diagram illustrating a cryptosystem according to an embodiment 
of the invention, showing steps taken by a sender, a receiver, and a private key 
generator (PKG), and information communicated between them. 

FIG. 2 is a block diagram illustrating steps performed by a PKG when generating 
a private key according to an embodiment of the invention. 

FIG. 3 is a block diagram illustrating steps performed by a sender when comput- 
ing a secret message key and using it to encrypt a message intended for a receiver 
according to an embodiment of the invention. 

FIG. 4 is a block diagram illustrating steps performed by a receiver when com- 
puting a secret message key and using it to decrypt ciphertext received from a sender 
according to an embodiment of the invention. 

FIG. 5 is a block diagram illustrating a distributed PKG, according to an embod- 
iment of the invention. 

FIG. 6 is a block diagram illustrating elements in a cryptosystem with escrow 
decryption capability according to an embodiment of the invention. 

FIG. 7 is a block diagram illustrating steps performed by a sender when encrypting 
messages in an BIGamal cryptosystem with escrow decryption capability according 
to an embodiment of the invention. 

FIG. 8 is a block diagram illustrating steps performed by a receiver when de- 
crypting messages in an ElGamal cryptosystem with escrow decryption capability 
according to an embodiment of the invention. 

FIG. 9 is a block diagram illustrating steps performed by an escrow when de- 
crypting messages in an ElGamal cryptosystem with escrow decryption capability 
according to an alternate embodiment of the invention. 

FIG. 10 is a block diagram illustrating a system for managing credentials in an 
identity based encryption system according to an embodiment of the invention. 

FIG. 11 is a block diagram illustrating a system with key delegation according to 
an embodiment of the invention. 
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FIG. 12 is a block diagram illustrating an encryption system with return receipt 
according to an embodiment of the invention. 



DETAILED DESCRIPTION OF THE INVENTION 

The following description provides details of several exemplary embodiments of 
the cryptographic techniques of the present invention, as well as a technical discussion 
of the security of the system. 

Overview 

As is normally the case with modern crypt osyst ems, the techniques of the present 
invention are generally implemented on computers connected by a communication 
medium. Although typically the computers are connected by the Internet or another 
computer network, any communication medium may be used. 

One embodiment of the invention comprises an identity-based encryption system 
that uses a secret message key derived from identity-based information. The message 
key may be used by a sender to encrypt a message, and by a receiver to decrypt the 
message. The secret message key is computed by the sender from an identity-based 
public key of the receiver. The same message key may be computed by the receiver 
from the receiver's private key, which is derived from the receiver's identity-based 
public key. Both sender and receiver compute the same secret key using a bilinear 
map. For example, in one embodiment, an asymmetric or symmetric bilinear map 
e : Go x Gi — > G 2 is used where G 0 , Gi,G2 are (not necessarily distinct) algebraic 
groups. In the case where Go is equal to Gi, we say the bilinear map is symmetric 
and often denote it as e : Gi x Gi — » G2. A bilinear map e that is non-degenerate 
and efficiently computable will be referred to as an admissible map. It is preferable 
in some embodiments of the invention that the bilinear map be admissible. 

The convention throughout this description will be to denote the group operations 
of Go and Gi by addition, and the group operation of G2 by multiplication. For a 
group G of prime order we use G* to denote the set G* = G \ {0} where O is the 
identity element in the group G. The set of binary strings of arbitrary length is. 
denoted by {0, 1}*. We use Z q to denote the group {0, . . • , q — 1} under addition 
modulo q> and we use Z + to denote the set of positive integers. We note that there 
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is a natural group action of Z q on G given by repeated addition, and we denote the 
result of the action of an element a G Z q on an element P € G by aP. 

According to another embodiment of the invention, a certain variant (involving the 
map e) of the computational Diffie-Hellman problem is hard. In one implementation 
the map e is admissible and the orders of Go, Gi, G 2 have a very large prime factor q. 
The orders of Go, Gi and G2 may be equal to each other. Without loss of generality, 
the following description assumes for simplicity that the orders of Go, Gi and G2 are 
all of prime order q. 

In an exemplary embodiment, an admissible map e : Gi x Gi — » G2 is used to 
realize an identity-based cryptosystem, as follows. To encrypt a message, a sender uses 
a public key Q ]D G Gi associated with a public identifier ID for the intended receiver. 
To decrypt the encrypted message, the receiver uses a complementary private key 
d\ D £ Gi. The private key is computed from the public key Q lD , a secret master key 
s € Z*, and a group action of Z* on G x . In one embodiment, for example, d iD = sQ XD . 
Since the secret master key s is known only by a trusted PKG, users normally cannot 
themselves compute private keys. To obtain a private key, an individual may obtain 
it from the PKG, preferably after being authenticated. At any time, however, anyone 
can compute the public key Q ]D associated with any public identifier ID even before 
the corresponding private key has been determined. For example, in one embodiment 
the public key Q lD may be obtained by (1) using a conventional character encoding 
scheme to map the public identifier ID to a corresponding binary string in {0,1}*, 
and (2) using a hash function iJi : {0, 1}* — > G| to hash the binary string to the 
element Q, D of GJ, where the order of Q XD is q. 

In this embodiment, a message intended for a receiver with public identifier. ID 
may be encrypted and decrypted as follows. The admissible map e may be used by 
the sender to determine a secret message key. Although the sender and receiver do not 
share all the same information, using the fact that the map e is bilinear, they can use 
different information to compute the same message key. Since each uses information 
that is private, the message key is a secret. 

To illustrate how this approach may be implemented, suppose that the sender has 
knowledge of elements P and sP in G\. In one embodiment, for example, elements 
P and Ppub = sP in Gi are published system parameters. Now further suppose the 
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sender privately selects a random r £ Z*, and uses the receiver's identity-based public 
key Q lD to compute gf 0 = e(rQ, D , sP). The element g[ D is an identity-based secret which 
the sender may use as a secret message key to perform identity-based encryption of 
a message to the receiver. The sender may then send an encrypted message together 
with rP to the receiver. The receiver then receives rP and uses it together with the 
private key sQ\ D to compute the secret message key g[ D = e(sQ\ D7 rP). This secret 
message key is equal to the secret message key computed by the sender because of 
the bilinearity of the e map. This computed element gf D G G2 is thus an identity- 
based secret of the sender which the receiver may compute using the element rP and 
the private key sQ !0 . This secret may be used as a message key for cryptographic 
communication between the sender and receiver. 

Note that the PKG also knows the receiver's private key, so can also compute 
the secret message key and decrypt the message. The sender, receiver and PKG 
all have sufficient information to compute the secret message key. No other entity, 
however, normally has knowledge of the sender's secret r or the receiver's secret sQ| D . 
The security of this embodiment is related to the difficulty of computing the secret 
message key, which is based upon a combination of r, s, and Q ]D using a bilinear map, 
without knowledge of r or knowledge of sQ lD . 

In one embodiment, the message key g\ D is used to determine a mask which is used 
to encrypt and decrypt the bits of the message using an XOR operation (denoted 
by '©'). Specifically, the ciphertext V of a message M is produced by computing 
V = M © iJ 2 where #2 : <& 2 — ► {0, l} n is a hash function, and n is the bit length 
of the message. Conversely, the message M is recovered from the ciphertext V by 
computing M = V © #2(0^). 

In another embodiment, the one-way encryption scheme outlined above is made 
more secure by converting it into a chosen ciphertext secure system. In one em- 
bodiment of the invention, for example, a general technique of Pujisaki-Okamoto is 
used. 

In another embodiment, the master key is broken into components Si distributed 
among several private key generators in a distributed PKG. For a given user with a 
public key Q lo based on an identifier ID, each of these private key generators in the 
distributed PKG computes a private key portion di using Q and its portion Si of the 
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master key. These private key portions can be combined by the user and used as a 
single private key d lD to decrypt messages encrypted with Q, D . 



In another embodiment, an ElGamal encryption scheme is provided with built- 
in key escrow, i.e., where one global escrow key can decrypt ciphertexts encrypted 
under any public key. In this embodiment, the exemplary system described above 
is adapted as follows. Suppose that the receiver also has knowledge of elements P 
and sP. Rather than obtaining a private key from the PKG, the receiver generates a 
public/private key pair by selecting a random x G Z*, computing xP using a group 
action, and publishing a public key based on the result of the computation. In one 
embodiment, the public key is xP and the complementary private key is d = x(sP). 
(Thus, xP plays the role of Q, D , and d = x(sP) = s(xP) plays the role of d, D = sQ, D .) 
To encrypt a message to the receiver, the sender as before selects a random r and sends 
rP to the receiver. Then the receiver knows the pair (rP, x(sP)), where x(sP) = d is 
a secret, while the sender knows the pair (sP, r(rrP)), where r(xP) is a secret. Thus, 
the sender and receiver both can compute g = e(rP,x(sP)) = e(sP y r(xP))> where 
the second equality follows from the bilinearity of e. This secret, however, can also 
be determined from knowledge of the master key s. Using the element rP from the 
sender, the receiver's public key xP, and the master key s, the message key can be 
computed by evaluating g = e(rP y s(xP)). It should be noted that this embodiment 
makes use of a symmetric bilinear map e : Gi x Gi G2. 

In several embodiments of the invention, Gi is a subgroup of an elliptic curve, 
and an admissible map e is constructed from the Weil pairing (or Tate pairing) on 
the elliptic curve. (Recall that, by definition, a subgroup is not necessarily smaller 
than the group, i.e., Gi may be the entire elliptic curve). More generally, Gi may be 
an abelian variety and e an admissible pairing of its elements. In embodiments using 
a map e : Go x Gi — ► G 2 where G 0 and Gi are distinct, Go also may be a subgroup 
of an elliptic curve, or more generally, an abelian variety. 

In other embodiments, various novel applications of identity-based encryption axe 
provided. New and useful applications of IBE systems axe possible by using other 
types of public identifiers, or enhanced public identifiers. For example, the public 
identifier ID is not limited to an identifier associated with an individual person, but 
may be an identifier associated with any type of entity including not just individuals 
but also organizations, governmental agencies, corporations and the like. It should 
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also be noted that individual identities forming a group may be naturally combined 
to produce a joint identity for the group with a corresponding group private key. The 
group's private key need not be issued by a PKG, but is simply the combination of 
the separate private keys of the entities composing the group. It should be noted that 
the basic ID specifying the identity of an entity is not limited to the name, e-mail 
address, address, or social security number of an entity, but could also include other 
types of information such as domain names, URLs, 9-digit zip codes, tax identification 
numbers, and so on. In many applications, the public identifier ID will contain some 
character string known to the public to be uniquely associated with a particular 
entity or collection of entities. In general, however, the public identifier ID can be 
any arbitrary character string or other arbitrary information. 

Various useful applications of IBE make use of enhanced public identifiers. An 
enhanced identifier may comprise a type of identifier that contains information not 
necessarily limi ted to information specifying the identity of a particular entity. For 
example, an ID can contain a credential descriptor such as a license number, official 
title, or security clearance associated with an entity. An agency can then manage the 
credentials by providing private keys only to entities it certifies. In one exemplary 
embodiment, an ID can contain a property descriptor such as a serial number, vehicle 
identification number, patent number, or the like. An agency responsible for register- 
ing property owners and authenticating owners can manage property registration by 
providing private keys only to entities that it registers as true owners. More generally, 
an association between two or more things can be managed by including identifiers for 
them in an ID. The PKG then acts as the management authority for the associations 
between things. 

Another type of enhanced ID is an identifier that includes a time, a time interval, 
or a set of time intervals. A private key for such an identifier can then be constructed 
to automatically expire at a certain time, to automatically activate only after a certain 
time, or to be valid only for one or more specified time intervals. This technique can 
be combined with the credential and ownership management to control the time of 
activation and/or expiration. 

Prom the above examples, it is evident that an identity-based encryption systems 
according to the present invention are not limited to any particular type of identifier. 
Thus, the term 'identity-based' should be understood in general terms as indicating 
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that any arbitrary character string or other arbitrary information may be used as a 
basis. 



According to another embodiment, an IBE system allows the delegation of de- 
cryption capabilities. An entity can set up its own IBE system with its own secret 
master key, and assume the role of PKG for this IBE system. Because the entity has 
the master key, it can issue keys to delegate decryption capabilities to others. For 
example, if the entity is a corporation, the employees can obtain private keys from the 
corporate PKG. Individuals can be issued private keys matching their names, titles, 
duties, projects, cases, or any other task-related identifier. In another example, an 
individual can issue to a laptop private keys that are valid only for the duration of 
a business trip. If the laptop is lost or stolen, only the keys for that time period are 
compromised. The master key, which remained at home, is uncompromised. 

It should also be pointed out that the medium of communication need not be 
limited to e-mail or the Internet, but could include any communication medium such 
as printed publications, digital storage media, radio broadcasting, wireless communi- 
cations, and so on. 

Definitions 

Identity-Based Encryption- An exemplary embodiment of an identity-based en- 
cryption system and method S uses four randomized algorithms: Setup, Extract, 
Encrypt, Decrypt: 

Setup: Given a security parameter k, return pa rams (system parameters) and master- 
key. The system parameters include a description of a finite message space and 
a description of a finite ciphertext space C. Normally, the system parameters will be 
publicly known, while the master-key will be known only to a Private Key Generator 
(PKG). 

Extract: takes as input params, master-key, and an arbitrary ID e {0,1}*, and 
returns a private key <2. Here ID is an arbitrary string that will be used as a public 
key, and d is the corresponding private decryption key. The Extract algorithm 
extracts a private key from the given public key. Because the extraction requires 
the master-key, it is normally performed by the PKG. 



13 



WO 03/017559 PCTYUS02/2715S 
Encrypt: takes as input params, ID, and M e M. It returns a ciphertext C € C. 
Decrypt: takes as input params, C € C, and a private key d. It return M G M. 



According to an embodiment of the invention, these algorithms satisfy the standard 
consistency constraint that ensures decryption will faithfully recover any encrypted 
message. More specifically, when d is the private key generated by algorithm Extract 
when it is given ID as the public key, then 

VM E : Decrypt(params, C y d) — M where C = Encrypt (params, ID, M). 

In an identity-based cryptosystem according to an embodiment of the invention, 
the above algorithms are used together as illustrated in FIG. 1. A sender 100 uses 
Encrypt, a receiver 110 uses Decrypt, and a PKG 120 uses Setup and Extract. To 
send a message M to receiver 110, the sender 100 obtains an ID of the receiver (e.g., 
the receiver's e-mail address) and combines it with a randomly selected integer r to 
compute a secret message key g\ D . The element rP is sent to receiver 110 who combines 
it with a private key d lD to determine the same message key g* 0 . Because the sender 
and receiver share the secret message key, a message encrypted with the key by the 
sender can be decrypted by the receiver. In particular, the sender encrypts M with the 
message key to produce ciphertext V which is communicated with rP to the receiver. 
The receiver then uses the secret message key to decrypt the ciphertext to recover 
the original message. In order to decrypt messages, however, the receiver 110 must 
first obtain the private key d lo from the PKG 120. After the PKG authenticates the 
identity of the receiver, it provides the receiver with the private key corresponding to 
the receiver's ID. (Note that, in this embodiment, the PKG can compute any private 
key in the system, and can thus decrypt any message to any user in the system.) 

Chosen ciphertext security. Chosen ciphertext security (IND-CCA) is the stan- 
dard acceptable notion of security for a public key encryption scheme. An embod- 
iment of an identity-based encryption system and method may be implemented to 
satisfy this strong notion of security. Additionally, the selected level of chosen cipher- 
text security may be strengthened a bit. The reason is that when an adversary attacks 
a public key ID in an identity-based system, the adversary might already possess the 
private keys of users IDi, . . . , ID n of her choice. In an embo dim ent of the invention, 
the system remains secure under such an attack. That is, the system remains secure 
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even when the adversary can obtain the private key associated with any identity ID* 
of her choice (other than the public key ID being attacked). We refer to such queries 
as private key extraction queries. The system of this embodiment also remains secure 
even though the adversary is challenged on a public key ID of her choice (as opposed 
to a random public key). 

We say that an embodiment of an identity-based encryption system or method 
S is semantically secure against an adaptive chosen ciphertext attack (IND-ID-CCA) 
if no polynomially bounded adversary A has a non-negligible advantage against the 
Challenger in the following IND-ID-CCA game: 

Setup: The challenger takes a security parameter k and runs the Setup al- 
gorithm. It gives the adversary the resulting system parameters params. 
It keeps the master-key to itself. 

Phase 1: The adversary issues queries gi, . . . , q m where query qi is one 
of: 

— Extraction query (IDi). The challenger responds by running algorithm 

Extract to generate the private key corresponding to the public key 
(IDi). It sends di to the adversary. 

— Decryption query (ID*, d). The challenger responds by running algo- 
rithm Extract to generate the private key di corresponding to IDi. It 
then rims algorithm Decrypt to decrypt the ciphertext Ci using the 
private key dk- It sends the resulting plain-text to the adversary. 

These queries may be asked adaptively, that is, each query may depend 
on the replies to q u . . . , cfr_i. 

Challenge: Once the adversary decides that Phase 1 is over it outputs 
two equal length plain-texts M 0 ,Mi € M and an identity ID on which 
it wishes to be challenged. The only constraint is that ID did not appear 
in any private key extraction query in Phase 1. 

The challenger picks a random bit b G {0, 1} and sets C = Encrypt(params, ID, Mi). 
It sends C as the challenge to the adversary. 

Phase 2: The adversary issues more queries g m+ i, . . . , q n where query ft 
is one of: 

— Extraction query (IDi) where IDi ^ ID. Challenger responds as in. 
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Phase 1. 

- Decryption query (ID;, C*) ^ (ID, C). Challenger responds as in Phase 
1. 

These queries may be asked adaptively as in Phase 1. 
Guess: Finally, the adversary outputs a guess V G {0, 1}. The adversary 
wins the game if b = i/. 

We refer to such an adversary A as an IND-ID-CCA adversary. We define 
adversary A's advantage in attacking the scheme E as the following func- 
tion of the security parameter k (k is given as input to the challenger): 
Adv^(A:) = |Pr[& = &']-i|. 

The probability is over the random bits used by the challenger and the 
adversary. 

Using the IND-ID-CCA game we can define chosen ciphertext security for IBE schemes. 
As usual, we say that a function g : R — * R is negligible if g(k) is smaller than l/f(k) 
for any polynomial /. 

Definition 1 We say that an IBE system £ is semantically secure against an adap- 
tive chosen ciphertext attack if for any polynomial time IND-ID-CCA adversary A the 
function Adv Sl A(k) is negligible. As shorthand, we say that £ is IND-ID-CCA secure. 

Note that the standard definition of chosen ciphertext security (IND-CCA) is the 
same as above except that there axe no private key extraction queries and the adver- 
sary is challenged on a random public key (rather than a public key of her choice). 
Private key extraction queries are related to the definition of chosen ciphertext secu- 
rity in the multiuser settings. After all, our definition involves multiple public keys 
belonging to multiple users. A multiuser IND-CCA may be reducible to single user 
IND-CCA using a standard hybrid argument. This does not hold in the identity-based 
settings, IND-ID-CCA, since the adversary gets to choose which public keys to corrupt 
during the attack. To emphasize the importance of private key extraction queries 
we note that one implementation of the disclosed IBE system can be modified (by 
removing one of the hash functions) into a system which has chosen ciphertext secu- 
rity when private extraction queries are disallowed. However, the implementation is 
insecure when extraction queries are allowed. 
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Semantically secure identity based encryption. The proof of security for an 
implementation of our IBE system makes use of a weaker notion of security known as 
semantic security (also known as semantic security against a chosen plain-text attack). 
Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except that 
the adversary is more limited; it cannot issue decryption queries while attacking the 
challenge public key. For a standard public key system (not an identity based system) 
semantic security is defined using the following game: (1) the adversary is given a 
random public key. generated by the challenger, (2) the adversary outputs two equal 
length messages M 0 and M\ and receives the encryption of M& from the challenger 
where b is chosen at random in {0, 1}, (3) the adversary outputs b f and wins the game 
if 6 = V. The public key system is said to be semantically secure if no polynomial time 
adversary can win the game with a non-negligible advantage. As shorthand we say 
that a semantically secure public key system is IND-CPA secure. Semantic security 
captures our intuition that given a ciphertext the adversary learns nothing about the 
corresponding plain-text. 

To define semantic security for identity based systems (denoted 1 N D- ID- CPA) we 
strengthen the standard definition by allowing the adversary to issue chosen private 
key extraction queries. Similarly, the adversary is challenged on a public key ID of 
her choice. We define semantic security for identity based encryption schemes using 
an IND-ID-CPA game. The game is identical to the IND-ID-CCA game defined above 
except that the adversary cannot make any decryption queries. The adversary can 
only make private key extraction queries. We say that an identity-based encryption 
scheme 8 is semantically secure (IND-ID-CPA) if no polynomially bounded adversary 
A has a non-negligible advantage against the Challenger in the following IND-ID-CPA 
game: 

Setup: The challenger takes a security parameter k and runs the Setup al- 
gorithm. It gives the adversary the resulting system parameters params. 
It keeps the master-key to itself. 

Phase 1: The adversary issues private key extraction queries IDi, . . . , ID m . 
The challenger responds by running algorithm Extract to generate the 
private key di corresponding to the public key ID*. It sends dU to the 
adversary. These queries may be asked adaptively. 

Challenge: Once the adversary decides that Phase 1 is over it outputs 
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two equal length plain-texts M 0 , M 1 e M and a public key ID on which 
it wishes to be challenged. The only constraint is that ID did not appear 
in any private key extraction query in Phase 1. The challenger picks a 
random bit b e {0, 1} and sets C = Encrypt(params, ID, M h ). It sends C 
as the challenge to the' adversary. 

Phase 2: The adversary issues more extraction queries ID m+ i, . . . , ID n . 
The only constraint is that ID» ^ ID. The challenger responds as in 
Phase 1. 

Guess: Finally, the adversary outputs a guess b f e {0, 1}. The adversary 
wins the game if b = £/. 

We refer to such an adversary .A as an IND-ID-CPA adversary. As we did 
above, the advantage of an IND-ID-CPA adversary A against the scheme 
£ is the following function of the security parameter k: Adv^^fc) = 
|Pr[6 = 6']-i|. 

The probability is over the random bits used by the challenger and the 
adversary. 

Definition 2 We say that the IBE system 8 is semantically secure if for any polyno- 
mial time IND-ID-CPA adversary A the function Advg^ik) is negligible. As shorthand, 
we say that £ is IND-ID-CPA secure. 

One way identity-based encryption. One can define an even weaker notion of 
security called one-way encryption (OWE). Roughly speaking, a public key encryption 
scheme is a one-way encryption if given the encryption of a random plain-text the 
adversary cannot produce the plain-text in its entirety. One-way encryption is a weak 
notion of security since there is nothing preventing the adversary from, say, learning 
half the bits of the plain-text. Hence, one-way encryption schemes do not generally 
provide secure encryption. In the random oracle model one-way encryption schemes 
can be used for encrypting session-keys (the session-key is taken to be the hash of the 
plain-text). We note that one can extend the notion of one-way encryption to identity 
based systems by adding private key extraction queries to the definition. We do not 
give the full definition here since we use semantic security as the weakest notion of 
security. 
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Bilinear maps and the Bilinear Diffie-Hellman Assumption 



One embodiment of the invention is directed to an IBE system that makes use of 
a map e : Gi x G* — > G2 between groups Gi and G2 of order q for some large prime 
q. A map e may be called an admissible map if it satisfies the following properties: 

1. Bilinear: The map e : Gi x G x G 2 satisfies e(aP 7 bQ) = e(P,Q) ab for all 
(P, Q) € Gi x Gi and all a, 6 G Z. 

2. Non-degenerate: The map does not send all pairs in Gi x Gi to the identity in G2. 
Observe that since 61 , Gi, G 2 are groups of prime order this implies that if Gi = Gi 
and P is a generator of Gi = Gi then e(P, P) is a generator of G 2 . 

3. Computable: There is an efficient algorithm to compute e(P, Q) for any (P, Q) e 
Gi x Gi. 

Although many of the embodiments are described with reference to a map e : Gi x 
Gi — * G 2 , this is only a specific case of bilinear maps used in embodiments of the 
invention, More generally, maps e : Go x Gi — > G 2 may be used, where Go and Gj 
may be distinct. For simplicity of description, however, the description of many of 
the embodiments focuses primarily on the case where Gi and Gi are the same, and 
both groups axe then denoted Gi. Below we present a detailed exemplary embodi- 
ment using groups Gi , G 2 and an admissible map between them. In this exemplary 
embodiment, the group Gi is a subgroup of the additive group of points of an elliptic 
curve E/W P) and the group G 2 is a subgroup of the multiplicative group of a finite 
field . As we will see below in the detailed example of an IBE system, the Weil 
pairing (which is not itself an admissible map) can be used to construct an admissible 
map between these two groups. 

The existence of the admissible map e : Gi x Gi — » G2 as above has two direct 
implications to these groups. 

The MOV reduction: The discrete log problem in Gi is no harder than the discrete 
log problem in G 2 . To see this, let P, Q € Gi be an instance of the discrete 
log problem in G x where both P, Q have order q. We wish to find an a 6 Z q 
such that Q = aP. Let g = e(P, P) and h = e(Q, P). Then, by bilinearity of 
e we know that h = g a . By non-degeneracy of e both g, h have order q in G2. 
Hence, we reduced the discrete log problem in Gi to a discrete log problem in 
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G 2 . It follows that for discrete log to be hard in G x we must choose our security 
parameter so that discrete log is hard in G 2 . 

Decision Diffie-Hellman is Easy: The Decision Diffie-Hellman problem (DDH) in 
Gi is the problem of distinguishing between the distributions (P, aP, 6P, abP) 
and (P, aP, 6P, cP) where a, b, c are random in Z g and P is random in 61- To 
see that DDH in Gi is easy, observe that given P, aP, 6P, cP G G* we have 

c = ab mod q e(P, cP) = e(aP, 6P) . 

The Computational Diffie-Hellman problem (CDH) in Gi can still be hard (GDH 
in Gi is to find abP given random (P,aP,bP)). Exemplary embodiments may 
use mappings e : Gi x Gi — > G2 where CDH in Gi is believed to be hard even 
though DDH in Gi is easy. 

The Bilinear Diffie-Hellman Assumption (BDH) 

Since the Decision Diffie-Hellman problem (DDH) in Gi is easy, embodiments of 
the invention do not use DDH to build cryptosystems in the group Gi. Instead, the 
security in embodiments of our IBE system is based on a novel variant of the Com- 
putational Diffie-Hellman assumption called the Bilinear Diffie-Hellman Assumption 
(BDH). 

Bilinear Diffie-Hellman Problem. Let Gi,G 2 be two groups of prime order q. 
Let e : Gi x Gi — > G 2 be an admissible map and let P be a generator of Gi. The 
BDH problem in (Gi, G 2 , e) is as follows: Given (P, aP, 6P, cP) for some a, 6, c e Z* 
compute W = e(P,P) a6c € G 2 . An algorithm A has advantage e in solving BDH in 
(Gi,Ga,e) if 

Pr [A(P, aP, 6P, cP) = e(P, P)***] > e 

where the probability is over the random choice of a, 6, c in Z*, the random choice of 
P £ GJ, and the random bits of A. 

BDH Parameter Generator, We say that a randomized algorithm Q is a BDH 
parameter generator if (1) Q takes a security parameter k €E Z + , (2) Q runs in poly- 
nomial time in fc, and (3) Q outputs a prime number g, the description of two groups 
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Gi,G 2 of order g, and the description of an admissible map e : Gi x Gi — ► G 2 . We 
denote the output of Q by G(l k ) = <g,<&i,G 2 ,e>. The security parameter k is used 
to determine the size of q; for example, one could take q to be a random fc-bit prime. 
For i = 1, 2 we assume that the description of the group Gi contains polynomial time 
(in k) algorithms for computing the group action in G* and contains a generator of 
G». The generator of G* enables us to generate uniformly random elements in G*. 
Similarly, we assume that the description of e contains a polynomial time algorithm 
for computing e. We give an example of a BDH parameter generator below in the 
detailed example of an IBE system using the Weil pairing. 

Bilinear Diffie-Hellman Assumption. Let Q be a BDH parameter generator. 
We say that an algorithm A has advantage e(fc) in solving the BDH problem for Q if 
for sufficiently large k: 

Adv^(fe) = Pr U^G^e, P,aP,bP,cP) = e(P,P) a6c | ^ ^ 0)b , c 

We say that Q satisfies the BDH assumption if for any randomized polynomial time 
(in fc) algorithm A and for any polynomial / € Z[x] algorithm A solves the BDH 
problem with advantage at most l//(fc). When Q satisfies the BDH assumption we 
say that BDH is hard in groups generated by Q. 

In the description below of a detailed example of an IBE system we give some 
examples of BDH parameter generators that are believed to satisfy the BDH assump- 
tion. 

Hardness of BDH. It is interesting to study the relationship of the BDH problem 
to other hard problems used in cryptography. Currently, all we can say is that the 
BDH problem in (Gi, G 2 , e) is no harder than the CDH problem in Gi or G 2 . In other 
words, an algorithm for CDH in Gi or G 2 is sufficient for solving BDH in (Gi> G 2 , e). 
The converse is currently an open problem: is an algorithm for BDH sufficient for 
solving CDH in G x or in G 2 ? 

We note that in a detailed example of an IBE system below, the isomorphisms 
from Gi to G 2 induced by the admissible map are believed to be one-way functions. 
More specifically, for a point Q G GJ define the isomorphism fq : Gi ~> G 2 by 
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f Q (P) = e(P,Q). If any one of these isomorphisms turns out to be invertible, then 
BDH is easy in (Gi,G 2 , e). Fortunately, an efficient algorithm for inverting f Q would 
imply an efficient algorithm for deciding DDH in the group G 2 . In the exemplary 
embodiments DDH is believed to be hard in the group G 2 . Hence, the isomorphisms 
f Q . d -» G 2 induced by the admissible map are believed to be one-way functions. 

Exemplary Identity- Based Encryption Scheme 

We describe the following exemplary embodiments in stages. First- we describe 
a basic identity-based encryption system and method which is not secure against an 
adaptive chosen ciphertext attack. Another embodiment described below extends the 
basic scheme to get security against an adaptive chosen ciphertext attack (IND-ID- 
CCA) in the random oracle model. We later relax some of the requirements on the hash 
functions to provide alternative embodiments. These embodiments are described with 
reference to a generic BDH parameter generator Q satisfying the BDH assumption. 
Later we describe a detailed example of an IBE system using the Weil pairing. 



Basicldent 

The following describes a basic embodiment, called Basicldent. We present the 
embodiment by describing the four algorithms: Setup, Extract. Encrypt, Decrypt. We 
let k be the security parameter given to the setup algorithm. We let G be some BDH 
parameter generator. 

Setup: Given a security parameter k € Z + , the algorithm in the basic embodiment 
works as follows: 

Step 1: Run Q on input A; to generate a prime q, two groups Gi, G 2 of order g, and 

an admissible map e : Gi x Gi G 2 . Choose an arbitrary generator P € Gi. 
Step 2: Pick a random s € Z* and set = sP. 

Step 3: Choose a cryptographic hash function Hi : {0, 1}* — > GJ. Choose a 
cryptographic hash function H 2 : G 2 -»• {0, l} n for some n. The security analysis 
will view H u Hias random oracles. 

The message space is M = {0, l} n . The ciphertext space is C = GJ x {0, l} n . The 

system parameters are params = {q, Gi, G 2 , e, n, P, P^, Hi, H 2 ). The master-key is 

s e Z*. 

Embodiments of the IBE system may be used to encrypt a symmetric key, in which 
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case one may take n to be, for example, 128 or 256. For k one may use, for example, 
512 or 1024 or 2048. 

Extract: For a given string ID £ {0, 1}* the algorithm in the basic embodiment does: 
(1) computes Q m = Hi(ID) € GJ, and (2) sets the private key d m to be d 1D = sQ m 
where s is the master key. 

Extract may be performed by a PKG in various embodiments as illustrated in FIG. 
2. The PKG obtains the master key in block 200, obtains the public identifier ID 
in block 210, computes the public key from the ID in block 220, then computes 
the private key from the master key and the public key in block 230. In block 240 
the private key is then sent to an entity associated with the public identifier ID, 
normally after the entity's identity has been authenticated. 
Encrypt: To encrypt M € M under the public key ID do the following: (1) compute 
q xo = H X {\D) G GJ, (2) choose a random r e Z* t and (3) set the ciphertext to be 

C = (rP, M ® H 2 {gl D )) where g lD = e(Q, D , Ppub) € GJ. 

In the basic embodiment, the sender of a message may perform Encrypt as illustrated 
in FIG. 3. In block 300 the system parameters are obtained (from an external 
resource such as a PKG, or from a local storage medium if they were obtained 
previously). A receiver's ID is determined in block 310, and the corresponding 
public key is computed from the ID in block 320. Then the secret message key is 
computed in block 330, and the message key is used to encrypt the message in block 
340. 

Decrypt: Let C = {U, V) G C be a ciphertext encrypted using the public key ID. To 
decrypt C using the private key d lD e GJ compute: 

V © H 2 (e{d lD , U)) = M. 

In the basic embodiment, the receiver may perform Decrypt as illustrated in FIG. 
4. In block 400, the system parameters are obtained (from an external resource 
such as a PKG, or from a local storage medium if they were obtained previously). 
The ciphertext V and an element rP are obtained from the sender in block 410. 
The element rP may be considered a portion of the total ciphertext obtained from 
the sender. In block 420 the receiver obtains the private key d, D corresponding to 
the public identifier ID used to encrypt the message. The private key is normally 
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obtained from an external resource such as a PKG, or from a local storage medium 
if it was obtained previously. The secret message key is then computed in block 
430, and used to decrypt the message in block 440. 

This completes the description of Basicldent for the basic embodiment. We first verify 
consistency. When everything is computed as above we have: 

1. During encryption M is bitwise exclusive-ored with the hash of: gl D . 

2. During decryption V is bitwise exclusive-ored with the hash of: e{d m , U). 
These masks used during encryption and decryption are the same since: 

e(d ID) U) = e(sQ ID , rP) = e{Q m , P)** = e(Q, D> P^Y = gl 

Thus, applying decryption after encryption produces the original message M as re- 
quired. Performance considerations of Basicldent are discussed later. 



Security. Next, we study the security of this basic embodiment. 

The security of the exemplary system is based on the assumption that a variant 
of the Computational Diffie-Hellman problem in Gi is hard. The technical security 
details of the encryption scheme are discussed by the inventors in D. Boneh, M. 
Franklin, "Identity based encryption from the Weil pairing", extended abstract in 
Advances in Cryptology - Crypto 2001, Lecture Notes in Computer Science, Vol. 
2139, Springer-Verlag, pp. 231-229, 2001, which is incorporated herein by reference. 

In an exemplary embodiment, the performance of the system is comparable to the 
performance of ElGamal encryption in F;. The security of the exemplary system is 
based on a variant of the computational Diffie-Hellman assumption. Based on this 
assumption we show that the exemplary system has chosen ciphertext security in the 
random oracle model. In accordance with a distributed PKG embodiment, threshold 
cryptography techniques allow the PKG to be distributed so that the master-key is 
never available in a single location. Unlike common threshold systems, we show that 
robustness for the distributed PKG embodiment is free. 

To argue about the security of the exemplary system, we define chosen ciphertext 
security for identity-based encryption. Our model gives the adversary more power 
than the standard model for chosen ciphertext security. First, we allow the attacker 
to attack an arbitrary public key ID of her choice. Second, while mounting a chosen 
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ciphertext attack on ID we allow the attacker to obtain from the PKG the private tey 
for any public key of her choice, other than the private key for ID. This models an 
attacker who obtains a number of private keys corresponding to some identities of her 
choice and then tries to attack some other public key ID of her choice. Even with the 
help of such queries, it is desirable that the attacker still have negligible advantage in 
defeating the semantic security of the system. 

The following theorem shows that Basicldent is a semantically secure identity 
based encryption scheme (IND-ID-CPA) assuming BDH is hard in groups generated 
by g. 

Theorem 1 Suppose the hash functions H U H 2 are random oracles. Then Basicldent 
is a semantically secure identity based encryption scheme (IND-ID-CPA^ assuming 
BDH is hard in. groups generated by Q. Concretely, suppose there is an IND-ID-CPA 
adversary A that has advantage e(k) against the scheme Basicldent. Suppose A makes 
at most q B > 0 private key extraction queries and q H2 > 0 hash queries to H 2 . Then 
there is an algorithm B that solves BDH in groups generated by Q with advantage at 

least: < 2e(k) 

AdV °* B(k) " e(l + 

Here e « 2.71 is the base of the natural logarithm. The running time of B is 
0(time{A)). 

To prove the theorem we first define a related Public Key Encryption scheme (not 
an identity based scheme), called BasicPub. BasicPub is described by three algorithms: 
keygen, encrypt, decrypt. 

keygen: Given a security parameter k e Z + , the algorithm works as follows: 

Step 1: Run Q on input k to generate two prime order groups G X ,G 2 and an 

admissible map e : Gi X Gi — ► G 2 . Let q be the order of Gi,G 2 . Choose an 

arbitrary generator P G Gi- 
Step 2: Pick a random s € Z* and set P pub = sP. Pick a random Q XD E <G*. 
Step 3: Choose a cryptographic hash function H 2 : G 2 -> {0, l} n for some n. 
Step 4: The public key is (q t G u G 2 , e, n, P, P^, Q, D , H 2 ). The private key is d, D = 

sQ iD e G;. 



25 



WO 03/017559 PCT7US02/27155 
encrypt: To encrypt M £ {0, l} n choose a random r e Z* and set the ciphertext to 
be: 

C = <rP, M 0 i? 2 (^ r )> where # = e(Q lD , Pp^) <E G£ 

decrypt: Let C = (£/, V) be a ciphertext created using the public key (g, d, <G 2 , e, n, P, P^, < 
To decrypt C using the private key dj D £ compute: 

y©if 2 (e(d ID ,f/)) = M 

This completes the description of BasicPub. We now prove Theorem 1 in two steps. 
We first show that an IND-ID-CPA attack on Basicldent can be converted to a IND-CPA 
attack on BasicPub. This step shows that private key extraction queries do not help 
the adversary. We then show that BasicPub is IND-CPA secure if the BDH assumption 
holds. The proofs axe omitted. 

Lemma 2 Let H x be a random oracle from {0,1}* to Gj. Let A be an IND-ID- 
CPA adversary that has advantage e(k) against Basicldent. Suppose A makes at most 
q B > 0 private key extraction queries. Then there is a IND-CPA adversary B that has 
advantage at least e{k)/e{l + q E ) against BasicPub. Its running time is 0{time(A)). 

Lemma 3 Let H 2 be a random oracle from G 2 to {0, l} n . Let A be an IND-CPA 
adversary that has advantage e(k) against BasicPub. Suppose A makes a total of 
Qh 2 > 0 queries to H 2 . Then there is an algorithm B that solves the BDH problem for 
G with advantage at least 2e{k)/q H2 and a running time 0(time(A)). 

Proof of Theorem 1. The theorem follows directly from Lemma 2 and Lemma 3. 
Composing both reductions shows that an IND-ID-CPA adversary on Basicldent with 
advantage e(fc) gives a BDH algorithm for Q with advantage at least 2e(fc)/ e{l+q B )q H ^ 
as required. d 

Identity-Based Encryption with Chosen Ciphertext Security 

According to one embodiment of the invention, a technique of Pujisaki and Okamoto 
(described in E. Pujisaki and T. Okamoto, "Secure integration of asymmetric and sym- 
metric encryption schemes", in Advances in Cryptology - Crypto '99> Lecture Notes 
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in Computer Science, Vol. 1666, Springer-Verlag, pp. 537-554, 1999, which is incor- 
porated herein by reference) may be appropriately adapted to convert the Basicldent 
embodiment of the previous section into a chosen ciphertext secure embodiment of 
an IBE system (in the sense defined earlier) in the random oracle model. Let £ be a 
probabilistic public key encryption scheme. We denote by £ pk (M;r) the encryption 
of M using the random bits r under the public key pk. Fujisaki-Okamoto define the 
hybrid scheme £ hy as: 

£ %(M) = {SpkfrHzfaM)), H A {a)®M) 

Here a is generated at random and H 3 , H 4 are cryptographic hash functions. Fujisaki- 
Okamoto show that if £ is a one-way encryption scheme then £ hy is a chosen ciphertext 
secure system (IND-CCA) in the random oracle model (assuming £ vk satisfies some 
natural constraints). We note that semantic security implies one-way encryption and 
hence the Fujisaki-Okamoto result also applies if £ is semantically secure (IND-CPA). 

We apply the Fujisaki-Okamoto transformation to Basicldent and show that the 
resulting embodiment of an IBE system is IND-ID-CCA secure. We obtain the fol- 
lowing IBE embodiment which we call Fullldent. Recall that n is the length of the 
message to be encrypted. 

Setup: As in the Basicldent scheme. In addition, we pick a hash function H 3 : 
{0, l} n x {0, l} n -» ZJ, and a hash function # 4 : {0, l} n -> {0, l} n . 

Extract: As in the Basicldent scheme. 

Encrypt: To encrypt M € {0,l} n under the public key ID do the following: (1) 
compute Q ID = fli(lD) € GJ, (2) choose a random a e {0, 1}", (3) set r = H 3 (a, M), 
and (4) set the ciphertext to be 

C=(rP, <r®H 2 (gl D ), M®H A (a)) where g, D = e(<5.o, Ppub) € G 2 

Decrypt: Let C = (U,V,W) be a ciphertext encrypted using the public key ID. If 
U & Gt reject the ciphertext. To decrypt C using the private key d ID € G* do: 

1. Compute V © H 2 {e(d ]D , U)) = a. 

2. Compute W © H 4 (o) = M. 

3. Set r = H 3 (a, M). Test that U = rP. If not, reject the ciphertext. 

4. Output M as the decryption of C. 
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This completes the description of Fullldent. Its implementation follows the same 
basic pattern as Basicident shown in FIGS. 2, 3, 4. Note that M is encrypted as 
W = M®H A (a). This can be replaced byW = E HA(a) (M) where E is a semantically 
secure symmetric encryption scheme. -n 

Security- The following theorem shows that Fullldent is a chosen ciphertext secure 
IBE (i.e. IND-ID-CCA), assuming BDH is hard in groups generated by Q. 

Theorem 4 Let the hash functions H^H^H^H^ be random oracles, then Fullldent 
is a chosen ciphertext secure IBE {IND-ID-CCA J assuming BDH is hard in groups 
generated by Q. 

Concretely, suppose there is an IND-ID-CCA adversary A that has advantage e(k) 
against the scheme Fullldent and A runs in time at most t{k). Suppose A makes at 
most q E extraction queries, at most q D decryption queries, and at most qn^ ? Qh$ ? Qh± 
queries to the hash functions if 2 , #3, H 4 respectively. Then there is a BDH algorithm 
B for Q with running time ii(fc) where: 

Adv giB (k) > 2FOadv( e(1 ^l qD y g* 4 , g* 3 > Qo)/qH 2 
ti(k) < FO U me{t{k),q HA ,q Hz ) 

where the functions FO ti me and FO a dv are defined in Theorem 5. 

The proof of Theorem 4 is based on the following result of Pujisaki and Okamoto. 
Let BasicPub hy be the result of applying the Pujisaki-Okamoto transformation to 
BasicPub. 

Theorem 5 (Pujisaki-Okamoto) Suppose A is an IND-CCA adversary that achieves 
advantage e(k) when attacking BasicPub^. Suppose A has running time t(k), makes 
at most q D decryption queries, and makes at most q Hz ,<lH A queries to the hash func- 
tions Hz,H± respectively. Then there is an IND-CPA adversary B against BasicPub 
with running time ti(k) and advantage ei(fc) where 

ti(k) < FOur™{t{k),q H ^q H3 )=t(k) + 0{{q HA + qH 3 )-n), and 
Here q is the size of the groups G 1} CJ2 and n is the length of a. 
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In fact, Fajisaki-Okaxaoto prove a stronger result: Under the hypothesis of Theo- 
rem 5, BasicPub' 12 ' would not even be a one-way encryption scheme. For our purposes 
the result in Theorem 5 is sufficient. To prove Theorem 4 we also need the following 
lemma to translate between an IND-ID-CCA chosen ciphertext attack on Fullldent and 
an IND-CCA chosen ciphertext attack on BasicPub' 1 *'. 

Lemma 6 Let A be an IND-ID-CCA adversary that has advantage e(k) against Ful- 
lldent. Suppose A makes at most q B > 0 private key extraction queries and at most 
q D decryption queries. Then there is an IND-CCA adversary B that has advantage at 
least *(fc) — - against BasicPub' 13 '. Its running time is 0(time(A)). 

Proof of Theorem 4. By Lemma 6 an IND-ID-CCA adversary on Fullldent im- 
plies an IND-CCA adversary on BasicPub' 12 '. By Theorem 5 an IND-CCA adversary 
on BasicPub' 12 ' implies an IND-CPA adversary on BasicPub. By Lemma 3 an IND-CPA 
adversary on BasicPub implies an algorithm for BDH. Composing all these reductions 
gives the required bounds. ^ 



Relaxing the hashing requirements 

Recall that an IBE system of Section uses a hash function H\ : {0, 1}* — ► GJ. 
The detailed example of an IBE system presented in the next section uses Gi as a 
subgroup of the group of points on an elliptic curve. In practice, it sometimes can be 
difficult to build hash functions that hash, directly onto such groups. In an exemplary 
embodiment, we therefore show how to relax the requirement of hashing directly onto 
GJ. Rather than hash onto GJ we hash onto some set A C {0, 1}* and then use a 
deterministic encoding function to map A onto GJ. 

Admissible encodings: Let Gi be a group and let A € {0, 1}* be a finite set. We 
say that an encoding function L : A — > GJ is admissible if it satisfies the following 
properties: 

1. Computable: There is an efficient deterministic algorithm to compute L(x) for any 

x e A. 

2. f-to-1: For any y G GJ the preimage of y under L has size exactly L In other 
words, \L~ l (y)\ = t for all y e GJ. Note that this implies that \A\ = I • |GJ|. 
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3. Samplable: There is an efficient randomized algorithm Cs such that £s(y) induces 
a uniform distribution on lT x (y) for any y G G{. In other words, C s {y) is a uniform 
random element in L" 1 (y). 

We modify Fullldent to obtain an IND-ID-CCA secure embodiment of an IBB system 
where Hi is replaced by a hash function into some set A. Since the change is relatively 
minor we refer to this new scheme as Fullldent': 

Setup: As in the Fullldent embodiment. The only difference is that H ± is replaced by 
a hash function H[ : {0, 1}* — > A. The system parameters also include a description 
of an admissible encoding function L : A — > GJ. 

Extract, Encrypt: As in the Fullldent embodiment. The only difference is that in 
Step 1 these algorithms compute Q lD = L(H[(\D)) € G*. 

Decrypt: As in the Fullldent embodiment. 

This completes the description of Fullldent\ The following theorem shows that Fulll- 
dent' is a chosen ciphertext secure IBE (i.e. IND-ID-CCA), assuming Fullldent is. 

Theorem 7 Let A be an IND-ID-CCA adversary on Fullldent' that achieves advantage 
e(fc). Suppose A makes at most q Hl queries to the hash function H[. Then there is 
an IND-ID-CCA adversary B on Fullldent that achieves the same advantage e(k) and 
time{B) = time(A) + q Hl • time(L s ) 

Proof Sketch Algorithm B attacks Fullldent by running algorithm A. It relays 
all decryption queries, extraction queries, and hash queries from A directly to the 
challenger and relays the challenger's response back to A It only behaves differently 
when A issues a hash query to H' v Recall that B only has access to a hash func- 
tion Hi : {0,1}* — > G;. To respond to H[ queries algorithm B maintains a list of 
tuples (\Dj 9 yj) as explained below. We refer to this list as the (H[) list . The list is 
initially empty. When A queries the oracle H{ at a point ID* algorithm B responds 
as follows: 

1. If the query ID* already appears on the (H[) list in a tuple {\D iy yi) then respond 
with #i(IDi) = yi E A. 

2. Otherwise, B issues a query for i?i(!Di). Say, ifi(ID*) = a E GJ. 

3. B runs the sampling algorithm £5(0?) to generate a random element y E L -1 (a). 
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4. B adds the tuple (\D i7 y) to the (H[) list and responds to A with #U ID 0 = V ^ A - 
Note that y is uniformly distributed in A as required since a is uniformly distributed 
in &l and L is an ^-to-1 map. 

Algorithm B's responses to all of ^4's queries, including H[ queries, are identical to 
As view in the real attack. Hence, B will have the same advantage e{k) in winning 
the game with the challenger. D 



A DETAILED EXAMPLE OF AN IBE SYSTEM USING THE WEIL PAIRING 

In this section we use Fullldent' to describe a detailed example of an embodiment of 
an IBE system. This embodiment is based on the Weil pairing. Although in practice 
the Tate pairing has computational advantages and may be used instead of the Weil 
pairing in various embodiments, the implementation using the Weil pairing will be 
described first because it is simpler. Later, the Tate pairing will be discussed. 

Properties of the Weil Pairing 

Let p > 3 be a prime satisfying p = 2 mod 3 and let q be some prime factor of 
p + 1. Let E be the elliptic curve defined by the equation y 2 = x 3 + 1 over F p . We 
state a few elementary facts about this curve E. Erom here on we let E(¥ pr ) denote 
the group of points on E defined over ¥ p r. 

Fact 1: Since x 3 + 1 is a permutation on ¥ p it follows that the group E(¥ p ) contains 
p+1 points. We let O denote the point at infinity. Let P G E(¥ p ) be a point of 
order q and let Gi be the subgroup of points generated by P. 

Fact 2: For any y 0 e ¥ p there is a unique point (rro,l/o) on 1?(F P ), namely x 0 = 
(Vo — !) 1/3 € Fp- Hence, if (x,y) is a random non-zero point on E(¥ p ) then y is 
uniform in F p . We use this property to build a simple admissible encoding function. 

Fact 3: Let 1 C e F p2 be a solution of x 3 - 1 = 0 mod p. Then the map <j>{x, y) = 
(Cx, y) is an automorphism of the group of points on the curve E. Note that for any 
point Q = (x,y) G E(¥ p ) we have that <f>(Q) e E(¥^), but <f>(Q) & E(¥ p ). Hence, 
Q e E(¥ p ) is linearly independent of <j>{Q) € E(F p 2). 

Fact 4: Since the points P G G x and <f>(P) are linearly independent they generate a 
group isomorphic to Z g x Z g . We denote this group of points by E[q]. 
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Let G 2 be the subgroup of F* 2 of order q. The Weil pairing on the curve E(¥^) 
is a mapping e : E[q] x E[q] -> G 2 . (This map is defined and discussed in the 
section below entitled Description of the Weil Pairing.) For any Q y Re E(W P ) the 
Weil pairing satisfies e(Q y R) = 1. In other words, the Weil pairing is degenerate 
on E(W P )> and hence degenerate on the group G x . To get a non-degenerate map we 
define the modified Weil pairing e : G x x d -> G 2 as follows: 

e{P t Q)=e{PMQ)) 
The modified Weil pairing satisfies the following properties: 

1. Bilinear: For all P, Q e G x and for all a, b e Z we have e(aP, 6Q) = e(P, Q) oi> . 

2. Non-degenerate: If P is a generator of G x then e(P, P) E F£ 2 is a generator of G 2 . 

3. Computable: Given P,Q € Gi there is an efficient algorithm to compute e(P, Q) G 
G 2 . (This algorithm is described in the section below entitled Description of the 
Weil Pairing.) Its running time is comparable to exponentiation in F p . 

Although the the Computational Diffie-Hellman problem (CDH) appears to be hard 
in the group Gi, the Decision Diffie-Hellman problem (DDH) is easy in G x , 

BDH Parameter Generator Q x \ Given a security parameter 2 < k £ Z the BDH 
parameter generator picks a random fc-bit prime q and finds the smallest prime p 
such that (1) p = 2 mod 3, (2) q divides p + 1, and (3) q 2 does not divide p + 1. We 
write p = + 1. The group G x is the subgroup of order q of the group of points on 
the curve y 2 = x 3 + 1 over F p . The group G 2 is the subgroup of order q of F^. The 
bilinear map e : Gi x Gi — > G 2 is the modified Weil pairing defined above. 

The BDH parameter generator Q x is believed to satisfy the BDH assumption 
asymptotically. However, there is still the question of what values of p and q can 
be used in practice to make the BDH problem sufficiently hard. It is desirable that 
we can ensure, at the very least, that the discrete log problem in Gi is sufficiently 
hard. As pointed out earlier, the discrete log problem in Gi is efficiently reducible to 
discrete log in G 2 . Hence, computing discrete log in F* 2 is sufficient for computing 
discrete log in Gi. In practice, for proper security of discrete log in F* 2 it is desirable 
to use primes p that are at least 512-bits long (so that the group size is at least 
1024-bits long). Consequently, in some embodiments, this BDH parameter generator 
is used with primes p that may be 512-bits long or more. 
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An admissible encoding function: MapToPoint 

Let Gi,G 2 be two groups generated by Q\ as denned above. Recall that an IBE 
system discussed earlier uses a hash function H x : {0, 1}* — » G*. It suffices to have a 
hash function H x : {0, 1}* -* A for some set A, and an admissible encoding function 
jr . & <s*. i n w hat follows the set A will be F p , and the admissible encoding 
function L will be called MapToPoint, which may be used in various embodiments of 
the present invention. 

In this example, let p be a prime satisfying p = 2 mod 3 and p = iq - 1 for some 
prime q > 3. In this exemplary embodiment, q does not divide I (i.e. q 2 does not 
divide p + 1). Let E be the elliptic curve y 2 = a; 3 + 1 over F p . Let G x be the subgroup 
of points on E of order q. In addition, a hash function Hj. : {0, 1}* -+ F p is provided. 

In this exemplary embodiment, algorithm MapToPoint works as follows on input y 0 G 
F p : 

1. Compute xo = {yl - 1) 1/3 = {vl - l) (2p - 1)/3 G F p . 

2. Let Q = (x 0 ,yo) € E(W P ) and set Q m = ^Qe Gi- 

3. Output MapToPoint(2/ 0 ) = Qm- 

This completes the description of MapToPoint. 

We note that there are Z - 1 values of y 0 € F p for which IQ = i{.x Qy y 0 ) = O 
(these are the non-O points of order dividing i). Let B C F p be the set of these 
y 0 . When #i(ID) is one of these i - 1 values Q ]D is the identity element of G x . 
It is extremely unlikely for H X (\D) to hit one of these points - the probability is 
1/q < l/2 k . Hence, for simplicity we say that 27i(ID) only outputs elements in ¥ P \B, 
i.e. Hi : {0, 1}* -> F p \ B. In other embodiments, algorithm MapToPoint can be easily 
extended to handle the values y 0 G B by hashing ID multiple times using different 
hash functions. 

Proposition 8 MapToPoint : F p \ B -> GJ is an admissible encoding function. 

Proof The map is clearly computable and is a I - to - 1 mapping. It remains 
to show that L is samplable. Let P be a generator of E(W P ). Given a Q G GJ the 
sampling algorithm C s does the following: (1) pick a random 6 G {0, ...,£ — 1}, (2) 
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compute Q' = f x ■ Q + bgP = and (3) output C S {Q) = ye¥ p . Here is 

the inverse of € in Z*. This algorithm outputs a random element from the £ elements 
in MapToPoint~ 1 (Q) as required. D 



A detailed example of an IBE system 

Using the BDH parameter generator Q 1 and the admissible encoding function 
MapToPoint we obtain the following detailed example of an embodiment of an IBB 
system. 

Setup: Given a security parameter k G Z 4 *, the algorithm works as follows: 
Step 1: Run Q 1 on input k to generate a fc-bit prime q and a prime p = 2 mod 3 
such that q divides p + 1. Let S be the elliptic curve defined by y 2 = x 3 + 1 over 
F p . Choose an arbitrary P G J5(F P ) of order q. 
Step 2: Pick a random s G Z* and set P pu fo = sP. 

Step 3: Pick four hash functions: H x : {0, 1}* -> F p ; if 2 : -> {0, l} 71 for some 

n ; i?3 : {0, l} n x {0, l} n -> Z* , and a hash function ff 4 : {0, l} n -> {0, l} n . 
The message space is M = {0, l} n . The ciphertext space is C = JB(F P ) x {0, l} n . 
The system parameters are params = (p, n, P, Pp^, . • • , #4). The master-key 
is s G %\. 

Extract: For a given string ID G {0,1}* the algorithm builds a private key d as 
follows: 

Step 1: Compute MapToPoint(iJi(!D)) = Q ID G £(F P ) of order q. 

Step 2: Set the private key d ]D to be d XD = sQ, D where 5 is the master key. 

Encrypt: To encrypt M G {0, l} n under the public key ID do the following: 
Step 1: Compute MapToPoint(fl r i(ID)) = Q lD G E(¥ p ) of order q. 
Step 2: Choose a random a G {0, l} n . 
Step 3: Set r = H 3 (a y M). 
Step 4: Set the ciphertext to be 

C=(rP, a©Jf 2 (a P 0 ), M©fl4(cr)> where # D = e(Q lD , P^) G F^ 

Decrypt: Let C = <£/, V, W) G C be a ciphertext encrypted using the public key ID. 
If U G E(W P ) is not a point of order g reject the ciphertext. To decrypt C using the 
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private key d tD do: 

Step 1. Compute V © H2{e(d )D , U)) = a. 
Step 2. Compute W 0 H A (o) = M. 

Step 3. Set r = #3 (a, M). Test that 27 = rP. If not, reject the ciphertext. 
Step 4. Output M as the decryption of C. 

Performance. In this embodiment, algorithms Setup and Extract are very simple. 
At the heart of both algorithms is a standard multiplication on the curve B(W P ). 
Algorithm Encrypt requires that the encryptor compute the Weil pairing of Q iD and 
Ppub- Note that this computation is independent of the message, and hence can be 
done once and for all. Once <?, D is computed the performance of this embodiment is 
almost identical to standard ElGamal encryption. We also note that the ciphertext 
length of the exemplary embodiment of Basicldent is the same as in regular ElGamal 
encryption in F p . Decryption is a simple Weil pairing computation. 

Security. The security of the detailed exemplary embodiment just described follows 
directly from Theorem 4 and Theorem 7. 

Corollary 9 The detailed exemplary embodiment described above is a chosen cipher- 
text secure IBE system (i.e. IND-ID-CCA in the random oracle model) assuming the 
BDH parameter generator Qi satisfies the BDH assumption. 

Extensions and Observations 

Tate pairing and other curves. 

Embodiments of our IBE system work with efficiently computable bilinear maps 
e : Gi xGi — * G2 between two groups Gi, G2 where the BDH assumption holds. Many 
different elliptic curves may give rise to such maps. For example, one could use the 
curve y 2 = x 3 +x over ¥ p with p — 3 mod 4 and its endomorphism <f> : (x, y) — » (— z, iy) 
where i 2 = —1. 

In an alternative embodiment, one may use a family of nonsupersingular elliptic 
curves over ¥ p discussed by Miyaji et al. (A. Miyaji, M. Nakabayashi, S. Takano, 
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"New explicit condition of elliptic curve trace for FR-reduction" , IEICE Trans. Fun- 
damentals, Vol. E84 A, No. 5, May 2001). For example, to use a curve E/¥ p in this 
family one can take d to be a cyclic subgroup of E{¥ p e) (that is not contained in 
E(¥ p )) and then use the trace map on the curve E as the endomorphism <f> used to 
define the pairing e. We also note that both encryption and decryption in Fullldent 
can be made faster in alternate embodiments by using the Tate pairing on elliptic 
curves rather than the Weil pairing. In other embodiments, suitable bilinear maps 
may be derived from abelian varieties. 

Asymmetric pairings 

As mentioned earlier, embodiments of our IBE system are not limited to symmet- 
ric maps, but may include asymmetric maps as well. In other words, embodiments 
generally may use maps of the form e : G 0 x G x -> G 2 where G 0 , &i are groups of 
prime order g. When Go and Gi are equal we say the map is symmetric. WhenGo 
and Gi are not equal we say the map is asymmetric. 

The elements Q lD and P in the asymmetric case axe members of G 0 and Gi, re- 
spectively (or vice versa), and the target group of the hash function P"i is selected 
accordingly. However, to make the proof of security go through (Lemma 2 in par- 
ticular) we use a slightly strange looking complexity assumption which we call the 
co-BDH assumption: given random P, aP, bP € Gi and Q, aQ, cQ € G 0 no polyno- 
mial time algorithm can compute e(P, Q) abc with non-negligible probability. If one 
is uses this assumption then for embodiments using a curve E/¥ p from Miyaji et al. 
(as just described above) one can take G x to be a cyclic subgroup of E(¥ p ) of order 
q and G 0 to be a different cyclic subgroup of E(¥ p s) of order q. This will result in a 
more efficient system than the method described in the preceding paragraph for using 
these curves. 

Distributed PKG 

In exemplary embodiments of an IBE system it is desirable that the master-key 
stored at the PKG be protected. One way of protecting this key is by distributing 
it among different sites using techniques of threshold cryptography. Embodiments of 
our IBE system support this in a very efficient and robust way. Recall that in some 
embodiments discussed above, the master-key may be some sGZ* and the PKG uses 
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the group action to compute a private key from s and Q lD , where Q\ D is derived from 
the user's public key ID. For example, d XD = sQ^ A distributed PKG embodiment 
can be implemented in a t-out-of-n fashion by giving each of the n PKGs one share 
Si of a Shamir secret sharing of s mod q. Each of the n PKGs can use its share s» of 
the master key to generate a corresponding share <k of a private key d, D by calculating 
di = SiQio- The user can then construct the entire private key d ]0 by requesting from t 
of the n PKGs its share <k of the private key, then combining the shares by calculating 
d\o = Z)» where the Ai's are the appropriate Lagrange interpolation coefficients. 

Furthermore, it is easy to make this embodiment robust against dishonest PKGs 
using the fact that DDH is easy in 61- During setup each of the n PKGs publishes 
= Si P. During a key generation request the user can verify that the response from 
the i'th PKG is valid by testing that: 

e(d i5 P) = e(Q lD) Pi) 

Thus, a misbehaving PKG will be immediately caught. There is no need for zero- 
knowledge proofs as in regular robust threshold schemes. The PKG's master-key can 
be generated in a distributed fashion using the techniques of R. Gennaro et al. (R. 
Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, "Secure Distributed Key Generation for 
Discrete-Log Based Cryptosystems" , Advances in Cryptology - Eurocrypt '99, Lecture 
Notes in Computer Science, Vol. 1592, Springer-Verlag, pp. 295-310, 1999). Using 
this technique, the PKGs can execute a cooperative protocol that allows them to 
jointly generate their respective shares of the master key without the master key ever 
existing in any one place. 

Note that a distributed master-key embodiment also enables threshold decryption 
on a per-message basis, without any need to derive the corresponding decryption key. 
For example, threshold decryption of Basicldent ciphertext (U 7 V) is straightforward 
if each PKG responds with e(siQ, D , U). 

FIG. 5 is a block diagram illustrating a distributed PKG system, according to an 
embodiment of the invention. FIG. 5 includes a sender system 501, receiver system 
502 and three PKGs (PKG A 503, PKG B 504 and PKG C 505). In one embodiment 
illustrating a 2-out-of-3 sharing, each of three PKGs contains a different share of a 
master key, and any two of the three are able to derive the master key. As shown in 
the figure, PKG A 503, PKG B 504, and PKG C 505 include, respectively, master key 
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share s u 511, master key share s 2 , 512, and master key share s 3 , 513. In 2-out-of-3 
sharing, any two out of these three PKGs could combine their shares to determine 
the master key, although in this embodiment each PKG secretly holds its master key 
share. 

Sender system 501 sends a message to receiver 502. The message 514 may be 
encrypted using a public key based on an identifier ID of the receiver. In order to 
obtain the corresponding private key, the receiver system queries two of the three 
PKGs using, for example, the receiver's identity or public key. As shown in the 
figure, receiver system 502 makes queries 506 and 507 to PKG A 503 and PKG B 
504, respectively, in order to obtain two shares of the private key. In response to 
the queries, PKG A 503 and PKG B 504 return, respectively, share d u 508, and 
share ck, 509, of private key d, 510. Receiver system 502 is then able to assemble the 
corresponding private key d, D , which corresponds to the public key with which the 
message 514 was encrypted. More generally, the receiver could have selected to query 
any two of the three PKGs. For example, receiver system 502 alternatively could have 
queried PKGs B and C and combined private key shares d 2 and <2 3 to produce the 
private key 510. These techniques easily generalize to provide similar embodiments 
using t-out-ofri sharing. 

Sender system 501, receiver system 502 as well as PKGs 503, 504 and 505 may 
be each implemented as computer systems which include elements such as processors 
and computer-readable media such as memory and other storage devices. Communi- 
cation between the respective elements may take place using data packets sent over 
data networks, or any of various other forms of electronic and data transmission and 
communication. The communication may transpire over various architectures of com- 
munication, such as a computer network, such as the Internet, with various wired, 
wireless and other communications media. 

Working in subgroups 

In an alternative embodiment of the detailed IBE system described above, perfor- 
mance may be improved by working in a comparatively small subgroup of the curve. 
For example, choose a 1024-bit prime p = 2 mod 3 with p = aq — 1 f or some 160-bit 
prime q. The point P is then chosen to be a point of order Each public key ID is 
converted to a group point by hashing ID to a point Q on the curve and then multi- 
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plying the point by a. The system is secure if the BDH assumption holds in the group 
generated by P. The advantage of this embodiment is that the Weil computation is 
done on points of small order, and hence is much faster. 

IBE implies signatures 

Various IBE techniques described above can be used to provide public key sig- 
nature systems and methods. The intuition is as follows. The private key for the 
signature scheme is the master key for the IBE scheme. The public key for the signa- 
ture scheme is the set of global system parameters for the IBE scheme. The signature 
on a message M is the IBE decryption key for ID = M. To verify a signature, choose 
a random message M', encrypt M' using the public key ID = M, and then attempt 
to decrypt using the given signature on M as the decryption key. If the IBE system is 
IND-ID-CCA, then the signature scheme is existentially unforgeable against a chosen 
message attack. Note that, unlike most signature schemes, this signature verification 
embodiment is randomized. This shows that the IBE techniques described herein 
may encompass both public key encryption and digital signatures. Signature schemes 
derived from these approaches can be used to provide interesting properties, as de- 
scribed by Boneh et al. (D. Boneh, B. Lynn, H. Shacham, "Short signatures from the 
Weil pairing", in Advances in Cryptology - AsiaCrypt 2001, Lecture Notes in Com- 
puter Science, Vol. 2248, Springer-Verlag, pp. 514-532, 2001, which is incorporated 
herein by reference). 

Escrow ElGamal encryption 

In this section we show that various IBE techniques described above can be used 
to provide an ElGamal encryption system embodiment having global escrow capabil- 
ity. In this embodiment, a single escrow key enables the decryption of ciphertexts 
encrypted under any public key. 

In one exemplary embodiment, the ElGamal escrow system works as follows. The 
Setup is similar to that for Basicldent. Unlike the identity-based Basicldent, each user 
selects a secret random number and uses it to generate a public/private key pair. A 
sender and receiver can then use Encrypt and Decrypt to communicate an encrypted 
message. The message is secure except for an escrow who can use a master key s to 
decrypt the message. 
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FIG. 6 is a block diagram illustrating elements in a cryptosystem with escrow de- 
cryption capability according to an embodiment of the invention. The system includes 
a sender system 601 with encryption logic 610, receiver system 602 with decryption 
logic 611, escrow agent system 604 and broadcasting system 605. Broadcast system 
605 sends system parameters to participants such as escrow agent system 604, receiver 
system 602 and sender system 601. The receiver system 602 selects a private key x, 
607, and uses it to generate a public key Ppub = xP t 606, which is then published. 
The private key x and the public key form a complementary key pair. Using the 
public key P^ = xP, 606, sender system 601 encrypts a message M with encryption 
logic 610. Sender system 601 sends a resulting encrypted message 603 to receiver 
602. Receiver system 602 decrypts the message with decryption logic 611 using the 
private key x, 607. Escrow agent system 604 may intercept message 603 and, using 
the escrow agent key s, 609, public key P^ b = xP, 606, and decrypt message 603 with 
decryption logic 612. In an alternate embodiment, broadcast system 605 and escrow 
agent 604 may be a single entity. In yet another embodiment, the escrow agent key s 
may be shared in a manner such as in the distributed PKG embodiments described 
earlier. 

In more detail, an exemplary embodiment of the technique involves the following 
procedures: 

Setup: Let Q be some BDH parameter generator. Given a security parameter k e Z+, 
the algorithm works as follows: 

Step 1: Run Q on input k to generate a prime q, two groups Gi,G 2 of order g, and 

an admissible map e:GixGi-^ G 2 . Let P be some generator of Gj. 
Step 2: Pick a random s G Z* and set Q = sP. 
Step 3: Choose a cryptographic hash function H : G 2 -* {0, l} n . 
The message space is M = {0, l} n . The ciphertext space is C = Gi x {0, l} n . The 
system parameters are params = (q, G u G 2 , e, n, P, Q, H). The escrow key is s E Z*. 

keygen: A user generates a public/private key pair for herself by picking a random 
x € Z* and computing P pub = xP E Gi- Her private key is x (or xQ), her public 
key is Ppub- 
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Encrypt: To encrypt M € {0, 1} 71 under the public key P^b do the following: (1) 
pick a random r € Z*, and (2) set the ciphertext to be: 

C = (rP, M ® H(g r )) where g = e(P^, Q) € G 2 . 

This encryption technique is also illustrated in FIG. 7, where the sender obtains 
the system parameters and elements P and Q = sP in block 700, and obtains the 
recipient's public key Py* h = xP in block 710. The sender then selects a random r 
and computes a message key in block 720. The message key is then used to encrypt 
a message in block 730. The sender then transmits an encapsulated key rP and 
encrypted message V to the receiver. 
Decrypt: Let C = (17, V) be a ciphertext encrypted using P^. Then U € Gi. To 
decrypt C using the private key x do: 

V®H(e(U,xQ)) = M. 

As illustrated in PIG. 8, the receiver obtains the system parameters and elements P 
and Q = sP in block 800, then obtains the encrypted message V and encapsulated 
key r P from the sender in block 810. The receiver then computes the message key 
in block 820, and uses it to decrypt the message in block 830. 

To see that the message keys computed by the sender and receiver are the same, 
note that the sender knows the secret r as well as the public Q = sP and P^b == xP , 
and uses these to compute a key from e(sP, rrP) r . The receiver, on the other hand, 
knows the secret x as well as the public Q = sP and rP, and uses these to compute 
a message key from e(rP y x(sP)). The bilineaxity of e implies that e(sP,xP) r = 
e(rP, z(sP)), so the sender and receiver compute the same message key. 
Escrow-decrypt: The purpose of this embodiment is to permit escrow decryption 
of otherwise secure communications. To decrypt C = (£/, V) using the escrow key 
5, compute: 

Ve J ff(e(J7,5P pub )) = M. 

As shown in FIG. 9, the escrow obtains the system parameters and element P in 
block 900, then in block 910 obtains the recipient's public key xP, and obtains the 
encrypted message V and encapsulated key rP from the sender. The escrow then 
computes the message key in block 920, and uses it to decrypt the message in block 
930. The escrow can compute the message key from the knowledge of s, rP, and 
xP. 
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A standard argument shows that assuming that BDH is hard for groups generated by 
G the system of this embodiment has semantic security in the random oracle model 
(recall that since DDH is easy we cannot prove semantic security based on DDH). 
Yet, the escrow agent can decrypt any ciphertext encrypted using any user's public 
key. The decryption capability of the escrow agent can be distributed using the PKG 
distribution techniques described earlier. 

Another embodiment uses a similar hardness assumption, with an ElGamal en- 
cryption system with non-global escrow. In this embodiment, each user constructs a 
public key with two corresponding private keys, and gives one of the private keys to 
the trusted third party. The trusted third party maintains a database of all private 
keys given to it by the various users. Although both private keys can be used to 
decrypt, only the user's private key can be used simultaneously as the signing key for 
a discrete logarithm based signature scheme. 

Various other cryptographic systems can be devised based on the principles il- 
lustrated in the above embodiments. For example, three entities A, B, and C can 
communicate securely as a group by privately selecting random integers a, 5, c and 
publishing public keys aP,bP,cP. One of them, such as A, could encrypt a message 
using the message key e(f>P, cP) r and transmit it with rP. Then B could decrypt the 
message by calculating e(cP,rP) 6 and G could decrypt it by calculating e(£>P,rP) c . 
Similarly, B could send a message to A and C, or C could send a message to A and 
B. 

In another possible embodiment, two of the three entities, say A and B, could 
publish a joint public key abP. Then G could encrypt a message using the message 
key e(a6P, cP) r and transmit it with rP. Then neither A nor B alone could decrypt 
the message, but both A and B together could compute e(cP, rP)* 6 and jointly decrypt 
the message. This technique generalizes to any number of entities. For example, C 
could join A and B by using abP to compute and publish the three-way joint public key 
abcP. Then anyone could encrypt a message using the message key e(abcP, xP) r and 
transmit it with rP. Then only A and B and C together could compute e(xP,rP) abc 
and jointly decrypt the message. 
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Threshold decryption. 

Embodiments of the invention enable n entities to have shares of a private key 
do corresponding to a given public key ID, so that messages encrypted using ID can 
only be decrypted if t of the n entities collaborate. The private key d ID is never 
reconstructed in a single location. Embodiments of our IBE system may support this 
as follows. 

Recall that in other embodiments the private key d m = sQ l0 where s € Z* is 
the master-key. Instead, let b u . . . , s n e Z* be a t-out-of-n Shamir secret sharing of 
the master-key s. Each of the n users is given dk = SiQ XD . To decrypt a ciphertext 
(U,V) encrypted using the key ID each user locally computes g { = e(U,di) and sends 
gt e G 2 to the user managing the decryption process. That user then combines the 
decryption shares by computing g tD = Ui9? where A< are the appropriate Lagrange 
interpolation coefficients used in Shamir secret sharing. The message is then obtained 
by computing #2(510) @V = M. 

Those skilled in the art of cryptography will be able to devise many other schemes 
that employ the basic principles of the present invention. 

Applications of Identity-Based Encryption 

One application for embodiments of identity-based encryption is to help the de- 
ployment of a public key infrastructure. In this section, we show several embodiments 
of this and other applications. 

Revocation of Public Keys 

In this embodiment, the sender may encrypt using a public key derived from a 
piece of information containing a time element, such as a year, date or other time, to 
help provide key expiration or other forms of temporal key management. For example, 
in one embodiment,' key expiration can be done by having Alice encrypt e-mail sent 
to Bob using the public key: "bob@company.com || current -year". In doing so 
Bob can use his private key during the current year only. Once a year Bob needs to 
obtain a new private key from the PKG. Hence, we get the effect of annual private 
key expiration. Note that unlike the existing public key infrastructure, Alice does 
not need to obtain a new certificate from Bob every time Bob refreshes his private 
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key. 

One may make this approach more granular in other embodiments by encrypting 
e-mail for Bob using "bob@company.com || cur rent -date", or using another time 
stamp. This forces Bob to obtain a new private key every day. This embodiment 
may be used in a corporate context where the PKG is maintained by the corporation. 
With this approach key revocation is very simple: when Bob leaves the company and 
his key needs to be revoked, the corporate PKG is instructed to stop issuing private 
keys for Bob's e-mail address. As a result, Bob can no longer read his email. The 
interesting property is that Alice does not need to communicate with any third party 
certificate directory to obtain Bob's daily public key. Hence, embodiments of identity 
based encryption can provide a very efficient mechanism for implementing ephemeral 
public keys. Also note that this embodiment can be used to enable Alice to send 
messages into the future: Bob will only be able to decrypt the e-mail on the date 
specified by Alice. 

Managing user credentials 

An embodiment of the invention enables the management of user credentials using 
an IBE system. The message is encrypted with a string containing a credential 
identifier. For example, suppose Alice encrypts mail to Bob using the public key: 
"bobOcompany.com || current -year || clearance=secret" . Then Bob will only 
be able to read the email if on the specified date he has secret clearance. Consequently, 
it is very easy to grant and revoke user credentials using the PKG. 

FIG. 10 is a block diagram illustrating a system for managing credentials in an 
identity based encryption system according to an embodiment of the invention. The 
system includes sender system 1001, receiver system 1002 and PKG 1003. Each such 
system may be implemented as a computer system such as a client or server con- 
nected to a computer network. Accordingly, sender 1001, receiver 1002 and PKG 
1003 may each contain processors, such as processor 1014, processor 1013 and proces- 
sor 1012. Additionally, these systems may include computer-readable storage media, 
such as computer memory, and may additionally include interfaces to a computer 
network, including technology allowing for communication with a wired, wireless or 
other network. Sender system 1001 may include a software plug-in 1017. Such a 
plug-in may comprise a software module which performs cryptographic functions. 
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The plug-in includes, according to an embodiment of the invention, items such as 
cryptographic logic 1004. Plug-in 1017 may be distributed to various computers such 
as sender system 1001 and receiver system 1002 through a network in order to roll 
out functionality associated with identity-based encryption and other communication 
functionality. Parameters 1015 from a system such as PKG 1003 are also distributed 
over a computer network or other communications medium to senders and receivers, 
such as sender system 1001 and receiver system 1002, who may then use them in 
conjunction with plug-in 1017 when encrypting or decrypting messages. In one em- 
bodiment, plug-in 1017 is distributed together with parameters 1014. In an alternate 
embodiment, parameters 1015 may be distributed separately. 

Sender system 1001 encrypts a message M using encryption logic 1004 in plug-in 
1017. Encryption logic 1004 encrypts the message using encryption key 1011, which 
is based on selected credential 1005 and an identification 1016 of the intended receiver 
of the message. In some embodiments, the key may be based on other information 
as well. The sender system 1001 sends the receiver system 1002 information 1006, 
e.g., in the form of a data packet transmitted over a network or other communication 
medium. The information 1006 sent to receiver system 1002 contains the encrypted 
message and may also contain information 1007 regarding the credential 1005 used 
as part of the basis for the encryption key. 

Either before or after receiving information 1006, receiver system 1002 sends a 
request 1009 to PKG 1003. In one embodiment, the request 1009 may include the 
receiver's identity 1016 and may also include information related to the selected cre- 
dential 1005. In response, PKG 1003 verifies the credential of receiver 1002 using 
credential check logic 1008. Such logic may be implemented in software, hardware 
or a combination thereof. If the credential is verified as belonging to the receiver, 
then PKG 1003 provides a response 1010 to receiver 1002, which includes a private 
decryption key 1018 corresponding to the encryption key 1011. Using the private 
decryption key, the receiver then may decrypt the encrypted message contained in 
information 1006 to recover the original message M. Thus, by including a credential 
as part of an encryption key, embodiments such as this one allow a sender to encrypt 
a message intended for a receiver, where the decryption of the message by the receiver 
is contingent upon the validity of the receiver's credential. 
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Delegation of Decryption Keys 

Another application for embodiments of IBE systems is delegation of decryption 
capabilities. We give two exemplary embodiments, described with reference to a user 
Bob who plays the role of the PKG. Bob runs the setup algorithm to generate his 
own IBE system parameters params and his own master-key. Here we view params 
as Bob's public key Bob obtains a certificate from a CA for his public key params. 
When Alice wishes to send mail to Bob she first obtains Bob's public key params from 
Bob's public key certificate. Note that Bob is the only one who knows his master-key 
and hence there is no key-escrow with this setup. 

1. Delegation to a laptop. Suppose Alice encrypts mail to Bob using the current 
date as the IBE encryption key (she uses Bob's params as the IBE system param- 
eters). Since Bob has the master-key he can extract the private key corresponding 
to this IBE encryption key and then decrypt the message. Now, suppose Bob goes 
on a trip for seven days. Normally, Bob would put his private key on his laptop. If 
the laptop is stolen the private key is compromised. When using the IBE system 
Bob could simply install on his laptop the seven private keys corresponding to the 
seven days of the trip. If the laptop is stolen, only the private keys for those seven 
days are compromised. The master-key is unharmed. 

FIG. 11 is a block diagram illustrating a system with key delegation according to 
an embodiment of the invention. The system includes user system 1101 and tar- 
get system 1102. The target system may comprise a computer such as a laptop 
computer. User system 1101 includes a master key 1103, which is used to generate 
decryption keys 1104. The decryption keys 1104 are downloaded to the target sys- 
tem 1102. Using the techniques of key revocation described above, these decryption 
keys may be valid only for a limited time, thus providing additional security in the 
event that target system 1101 is compromised. User system 1101 and target system 
1102 may include elements of computer systems such as memory 1106 and 1107 
as well as processor 1105 and 1108. User system 1101 includes key generator logic 
1109, which uses master key 1103 and system parameters 1110 to generate private 
decryption keys 1104 based on information derived from a user ID 1113 and one 
or more dates 1114 or other time stamps. Target system 1102 includes decryption 
logic 1111, which uses the private decryption keys 1104 obtained from user system 
1101 and system parameters 1110 to decrypt an incoming encrypted message 1112. 
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If message 1112 is encrypted using public keys based on ID 1113 and one of the 
dates 1114, then private decryption keys may be used to decrypt it. Thus the de- 
cryption capabilities of target system 1102 may be limited to messages associated 
with selected dates 1114. In an alternate embodiment, the target system may be 
a data storage medium or portable data storage device which can be connected as 
desired to other computer systems, thereby enabling use of the decryption keys on 
those systems. 

2. Delegation of duties. Suppose Alice encrypts mail to Bob using the subject 
line as the IBE encryption key. Bob can decrypt mail using his master-key. Now, 
suppose Bob has several assistants each responsible for a different task (e.g. one is 
'purchasing', another is 'human-resources', etc.). In this embodiment, Bob may give 
one private key to each of his assistants corresponding to the assistant's responsi- 
bility. Each assistant can then decrypt messages whose subject line falls within its 
responsibilities, but it cannot decrypt messages intended for other assistants. Note 
that Alice only obtains a single public key from Bob (params), and she uses that 
public key to send mail with any subject line of her choice. The mail can only be 
read by the assistant responsible for that subject. 

More generally, embodiments of IBE can simplify various systems that manage a 
large number of public keys. Rather than storing a big database of public keys the 
system can either derive these public keys from user names, or simply use the integers 
1, . . . , n as distinct public keys. For example, in a corporation, each employee might 
have a unique employee number, and that number may serve also as the employee's 
public key. 

Return Receipt 

FIG. 12 is a block diagram illustrating an encryption system with return receipt 
according to an embodiment of the invention. According to one embodiment of the 
invention, a sender can receive an confirmation that the recipient has received aji 
encrypted message. More generally, upon receipt of a request for a decryption key 
from a receiver, the PKG takes an action separate from providing a decryption key to 
the receiver. Such an action comprises providing an acknowledgement to the sender 
that indicates that the message was received, according to one embodiment. 
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An embodiment of a system having return receipt capability is illustrated in FIG. 
12. The system includes sender system 1201, recipient system 1202 and PKG system 

1203. The sender system 1201, receiver system 1202 and PKG system 1203 may 
be implemented as computer systems coupled to a computer network. For exam- 
ple, PKG 1203, sender system 1201 and receiver system 1202 may include processor 
1212, processor 1213 and processor and 1214, respectively. These computer systems 
may include elements such as computer readable storage media, computer memory 
and other storage devices. Additionally, these systems may include interfaces to a 
computer network, including technology allowing for communication from a wired, 
wireless or other network. Further, according an embodiment of the invention, com- 
munication between the respective elements may take place using data packets sent 
over a computer network, or using any of various other forms of electronic and data 
transmission and communication. 

The sender 1201 encrypts a message M and sends the resulting ciphertext to 
receiver 1202 in a data package 1204 that also may include return receipt request 
information 1209. The return receipt request information may contain, for example, 
a return address and a message identifier corresponding to the particular message 

1204. The message M is encrypted by the sender using encryption logic 1211 and an 
encryption key 1215. Encryption key 1215 may be based on a receiver ID (such as an 
e-mail address) 1216 and the return receipt request information 1209. Because the 
receiver ID and return receipt request information 1209 are used by the sender to de- 
termine the encryption key 1215, the receiver 1202 needs a corresponding decryption 
key that can be used to decrypt the message. Accordingly, recipient system 1202, in 
response to receiving message 1204, sends PKG 1203 a request 1206, which includes 
the return receipt request information 1209 and the receiver's ID, 1216. In response, 
PKG 1203 sends to receiver 1202 the private decryption key 1205, which receiver then 
uses with decryption logic 1217 to decrypt the ciphertext of message 1204 and recover 
the original message M. In addition to sending receiver 1202 the decryption key 1205, 
PKG 1203 also sends a return receipt 1207 to sender 1201. PKG 1203 may alterna- 
tively store the receipt on storage media as part of a log rather than send a return 
receipt. Return receipt 1207 may include information such as the message identifier. 
Thus, sender 1201 receives proof that recipient 1202 has received the message 1204. 
The system may be initialized by placing plug-in software in various systems, such 
as sender system 1201 and receiver system 1202. Such plug-in software may include 
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system parameters, some of which may be derived from a system master key. Such 
parameters, stored in local devices such as sender 1201 and receiver 1202 are then 
used to generate encryption keys, perform encryption, perform decryption, and other 
functions, as appropriate. 

Description of the Weil pairing 

In this section we describe the Weil pairing on elliptic curves and then show how 
to efficiently compute it using an algorithm. To be concrete we present an example 
using supersingular elliptic curves defined over a prime field F p with p > 3 (the curve 
y 2 _ x 3 + 1 over ]p p ^h p = 2 mod 3 is an example of such a curve). The following 
discussion easily generalizes to computing the Weil pairing over other elliptic curves. 

Elliptic curves and the Weil pairing 

We state a few elementary facts about supersingular elliptic curves defined over a 
prime field F p with p > 3: 

Fact 1: A supersingular curve E/F p (with p > 3) contains p 4- 1 points in F p . We let 
O denote the point at infinity. The group of points over F p forms a cyclic group of 
order p + 1. For simplicity, let P be a generator of this group and set n — p + 1. 

Fact 2: The group of points S(F p2 ) contains a point Q of order n which is linearly 
independent of the points in E(W P ). Hence, E(F^) contains a subgroup which is 
isomorphic to the group l? n . The group is generated by P € E(¥ p ) and Q € ^(F^). 
We denote this group by E\p + 1] = E[n\. 

We will be working with the Weil pairing e which maps pairs of points in E[n] into 
FJ,, i.e. e : E[n] x E[n] -» F* 2 . To describe the pairing, we review the following 
concepts: 

Divisors A divisor is a formal sum of points on the curve E(W P *). We write divisors 
as A = J2p <h>( p ) where a P e Z and P € -E(F p3 ). For example, A = 3(Pi) - 
2(p 2 ) _ (f> 3 ) is a divisor. We will only consider divisors A = X)pOp(.P) where 

Functions Roughly speaking, a function / on the curve J3(F p2 ) can be viewed as 
a rational function f(x,y) G F p2 (x,y). For any point P = (x,y) e £(F p2 ) we 
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Divisors of functions Let / be a function on the curve £?(!». We define its 
divisor, denoted by (/), as (/) = £ P ord P (/) - P. Here ord P (/) is the order of 
the zero that / has at the point P. For example, let ax + by + c = 0 be the fine 
passing through the points Pi, P 2 G £(F p2 ) with P x ^ ±P 2 . This line intersects 
the curve at third point P 3 G £?(F p 2). Then the function /(x, y) = ax + by + c 
has three zeroes Pi, P 2 , P3 and a pole of order 3 at infinity. The divisor of / is 
(/) = (Pi) + (P 2 ) + (P 3 )-3(0). 

Principal divisors Let A be a divisor. If there exists a function / such that (/) = 
A then we say that A is a principal divisor. We know that a divisor A = 
J2 P Op(P) is principal if and only if «p = 0 Z)p a P p = °- Note that 
the second summation is using the group action on the curve. Furthermore, 
given a principal divisor A there exists a unique function / (up to constant 
multiples) such that (^4) = (/). 

Equivalence of divisors We say that two divisors A, B are equivalent if their dif- 
ference A — B is a principal divisor. We know that any divisor A = Ep °pCP) 
(with J2p a P = °) is equivalent to a divisor of the form A! = (Q) - (0) for 
some Q E E. Observe that Q = Ep^^- 

Notation Given a function / and a divisor A = Y^p a p( p ) we define f(A) as /(^4) = 
lip f( p ) ap ' Note that since 5^p <*p = 0 we h ave tliat /(^) remains unchanged 
if instead of / we use cf for any c G Fp2. 

We are now ready to describe the Weil pairing of two points P, Q G £?[n]. Let A P be 
some divisor equivalent to the divisor (P) - (0). We know that nAp is a principal 
divisor (it is equivalent to n(P) - n(0) which is clearly a principal divisor). Hence, 
there exists a function f P such that (f P ) = nAp. Define Aq and /q analogously. The 
Weil pairing of P and Q is given by: 

This ratio provides the value of the Weil pairing of P and Q whenever it is well 
defined (i.e., whenever no division by zero has occurred). If this ratio is undefined we 
use different divisors A p ,Aq to define e(P,Q). When P,Q 6 E(¥^) we have that 
e(P,Q)eF p 2. 
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We briefly show that the Weil pairing is well defined. That is, the value of e(P, Q) 
is independent of the choice of the divisor Ap as long as Ap is equivalent to (P) - (O) 
and Ap leads to a well denned value. The same holds for Aq. Let A P be a divisor 
equivalent to A P and let f P be a function so that (f P ) = nA P . Then A P = A P + (g) 
for some function g and f P = fp- g n - We have that: 

, ^. /p(A?) _ /p(A?)g(A?) n _ /p(A?) g(nA?) = MAo) g((f Q )) = f P (A Q ) 
e{ } = ~WAp) " W^Ms)) 7 /«((*)) /oW 

The last equality follows from the following fact known as "Weil reciprocity: for any 
two functions /, g we have that /( (g) ) = g{ (/) )• Hence, the Weil pairing is well 
defined. 

Fact 10 The Weil pairing has the following properties: 

• For all P € E[n] we have: e(P,P) = 1. 

• Bilinear: e{P l + P 2 , Q) = e(Pi, Q) • e(P 2 , Q) and e(P, Qi + Q 2 ) = e(P, Q x ) • 
e(P,Q 2 ). 

• WTien P,Q € JS[n] are collinear then e(P, <5) = 1. Similarly, e(P, Q) = 
e(Q.P)- 1 - 

• n'tfi root- /or a/i P,Q e E[n] we have e(P, Q) n = 1. 

• Non-degenerate: if P satisfies e(P, Q) = 1 /or <*M Q e E[n] then P = 0. 

As discussed earlier, our detailed example of an embodiment of an IBE scheme 
uses the modified Weil pairing e(P, Q) = e(P, <p{Q)), where 0 is an automorphism on 
the group of points of E. 

IVate pairing. The Tate pairing is another bilinear pairing that has the required 
properties for embodiments of our system. In various embodiments, we slightly mod- 
ify the original definition of the Tate pairing to fit our purpose. Define the Tate pairing 
of two points P,Q € E\n) as T(P,Q) = f P (AQ) W > l/n where f P and. A? are defined 
as earlier. This definition gives a computable bilinear pairing T : E[n] x E[n] -> G 2 . 
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Computing the Weil pairing 

Given two points P y Q G E[n] we show how to compute e(P,Q) € F* 2 using 
O(logp) arithmetic operations in F p . We assume P ^ Q. We proceed as follows: pick 
two random points R U R 2 € E\n). Consider the divisors Ap = (P + Ri) - and 
A Q = (Q + Rz) - (i? 2 )- These divisors are equivalent to (P) - (O) and (Q) - (O) 
respectively. Hence, we can use Ap and Aq to compute the Weil pairing as: 

, p n x _ /gGdg) _ fp(Q + R2)f Q (Ri) 

This expression is well defined with very high probability over the choice of R\,R 2 
(the probability of failure is at most O(^p)). In the rare event that a division by 
zero occurs during the computation of e(P,Q) we simply pick new random points 
Ri,R 2 and repeat the process. 

To evaluate e(P, Q) it suffices to show how to evaluate the function fp at Aq. 
Evaluating /q(Ap) is done analogously. We evaluate /p(Aq) using repeated doubling. 
For a positive integer b define the divisor 

A b = b(P + Ri) - b(R 1 ) - (bP) + (O) 

It is a principal divisor and therefore there exists a function f h such that (f b ) = At- 
Observe that (f P ) = (/ n ) and hence, f P (A Q ) = / n (Aj)- It suffices to show how to 
evaluate f n {Aq)> 

Lemma 11 There is an algorithm V that given fb(A Q ), f c (A Q ) and bP, cP, (b + c)P 
for some b y c > 0 outputs f h + c {Ao). The algorithm only uses a (small) constant 
number of arithmetic operations in F p 2 . 

Proof We first define two auxiliary linear functions gx, g 2 \ 

1. Let a x x + biy + Ci = 0 be the fine passing through the points bP and cP (if 
b = c then let a\x + biy + c\ = 0 be the line tangent to E at bP). Define 
Si (s> 2/) = tti^ + + c i- 

2. Let x + c 2 = 0 be the vertical line passing through the point (b + c)P. Define 

02(3, y) = x + c 2 
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The divisors of these functions are: 

(51) = (bP) + (cP) + (-(b + c)P)-3(0) 
(92) = ((b + c)P) + {-(b + c)P)-2(0) 

By definition we have that: 

A = &(P + i2i)-&(rti)-(W) + (0) 
Ac = c(P + -Ri)-c(i?x)-(cP) + (0) 
A+c = (&+c)(P + i?i)-(6 + c)(J2i)-((6 + c)P) + (0) 

It now follows that: A+c = A b + A c + (gi) - (92)- Hence: 

AUAq) = M*Q) ■ MAq) • (1) 

This shows that to evaluate f b+c (A Q ) it suffices to evaluate 9^Aq) for all i = 1, 2 and 
plug the results into equation 1. Hence, given MAq), / c (A?) and bP, cP, (b + c)P 
one can compute fb+ c (Ao) using a constant number of arithmetic operations. □ 

Denote the output of Algorithm V of Lemma 11 by T>(f b {A Q ), MAq), bP, cP, (&+ 
c)P) = fb+dAq). Then one can compute /p(Aq) = MAq) using the following stan- 
dard repeated doubling procedure. Let n = & ro 6 m _i . . . &1&0 be the binary representa- 
tion of n, i.e. n = YhLq ^» 2 *- 

Init: Set Z = O, V = MAq) = 1, and k = 0. 

Iterate: For i = to, m — 1, . . - , 1, 0 do: 

1: If = 1 then do: Set V = X>(V, MAq), Z,P,Z + P), set Z = Z + P, and set 
k = k+l. 

2: If i > 0 set V = V(V, V, Z, Z, 2Z), set Z = 2Z, and set k = 2k. 

3: Observe that at the end of each iteration we have z = kP and V = /fc(A?)- 

Output: After the last iteration we have k = n and therefore V = MAq) as re- 
quired. 

To evaluate the Weil pairing e(P, Q) we run the above algorithm once to compute 
/p{Aq) and once to compute f Q {A P ). Note that the repeated squaring algorithm 
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needs to evaluate fi(A Q ). This is easily done since the function fi{x y y) (whose 
divisor is (/i) = (P + Ri)- (Ri)-(P) + (0) ) can be written out explicitly as follows: 

1. Let a x x + b±y + c x = 0 be the Une passing through the points P and Ry. Define 
the function: g\{x, y) = a x x + b x y + c%. 

2. Let x + c 2 = 0 be the vertical line passing through the point P + R\. Define 
the function: g 2 (x y y)=x + c 2 . 

3. The function /i(x,y) is simply fi(x,y) = g 2 (x,y)/g 1 (x,y) which is easy to 
evaluate in Fp2. 
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1. In a cryptographic system, a method for sharing an identity-based secret mes- 
sage key between a sender and a receiver, the method comprising: 

(a) at a private key generator: obtaining an element Q of a first algebraic 
group, wherein Q represents an identity-based public encryption key of the 
receiver; computing sQ, where s is an integer representing a secret master 
key, and where sQ represents a private decryption key of the receiver; 
sending sQ to the receiver; obtaining an element P of a second algebraic 
group; computing sP\ and sending sP to the sender; 

(b) at the sender: obtaining the element Q; obtaining the element P; obtaining 
an element sP from the private key generator; selecting a secret r G Z; 
computing rP; computing the secret message key from r, sP> Q, and a 
bilinear map; and sending rP to the receiver; 

(c) at the receiver: obtaining rP from the sender; obtaining sQ from the 
private key generator; and computing the secret message key from rP, sQ y 
and the bilinear map. 

2. The method of claim 1 wherein sP and P are system parameters published by 
the private key generator. 

3. The method of claim 1 wherein the bilinear map is an admissible map. 

4. The method of claim 1 wherein the bilinear map is a symmetric map and the 
first algebraic group is equal to the second algebraic group. 

5. The method of claim 1 wherein the bilinear map is an asymmetric map. 

6. The method of claim 1 wherein obtaining the element Q at the receiver com- 
prises obtaining a public identifier ID associated with the receiver and computing 
Q from the ID. 

7. A method for generating a decryption key based on a public identifier ID, the 
method comprising: 
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(a) obtaining a master key and a set of system parameters associated with an 
identity-based encryption system; 

(b) obtaining an element Q m of an algebraic group, wherein the element Q lD is 
derived from the public identifier ID; and 

(c) computing the decryption key d, 0 from the master key and Q 1D using an 
action of the master key on Q, D , wherein the decryption key d, D is a member 
of the algebraic group. 

8. - The method of claim 7 wherein the algebraic group is a prime-order subgroup 

of an elliptic curve group. 

9. The method of claim 7 wherein computing the decryption key comprises calcu- 
lating d ID = sQ m , where s represents the master key. 

10. The method of claim 7 wherein obtaining the element Q m comprises: obtaining 
the public identifier ID; computing the element Q ID from the public identifier 
ID. 

11. The method of claim 7 wherein the public identifier ID is an identifier selected 
from the group consisting of the finite combinations of: a personal name, a 
name of an entity, a domain name, an IP address, an email address, a social 
security number, a passport number, a license number, a serial number, a zip 
code, an address, a telephone number, a URL, a date, a time, a subject, a case, 
a jurisdiction, a state, a country, a credential, a security clearance level, and a 
title. 

12. A method for encrypting a message in an identity-based cryptosystem to pro- 
duce corresponding ciphertext, the method comprising: 

(a) obt ainin g a set of parameters associated with a cryptographic system, 
wherein the parameters comprise a bilinear map e : Go x Gi — * G 2 , where 
Go, Gi and G 2 axe (not necessarily distinct) algebraic groups; 

(b) selecting a public identifier ID comprising information identifying an in- 
tended receiver of the message; 

(c) computing an element Q m E G 0 from the public identifier ID; 

(d) computing a secret message key g € G 2 using e and Q lD ; and 
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(e) computing the ciphertext from the message using the message key g. 

13. The method of claim 12 wherein computing the ciphertext comprises computing 
a bit mask from the message key g, and masking the message using the bit mask. 

14. The method of claim 12 wherein computing the ciphertext comprises computing 
a bit mask from a hash of a random bit string a, masking the message using 
the bit mask, and masking the random bit string a using a hash of the secret 
message key. 

15. The method of claim 12 wherein computing the ciphertext comprises computing 
an element rP e where r € Z is a randomly selected secret, and where 
PeGi. 

16. The method of claim 12 wherein computing the message key also uses r € Z, 
where r is a randomly selected secret. 

17. The method of claim 12 wherein computing the secret message key uses an 
element sP € Gi, where s is a secret master key. 

18. The method of claim 12 wherein computing the message key g E G 2 uses mul- 
tiple elements SiP 'e Gi, where the Si are shares of a secret master key. 

19. The method of claim 12 wherein computing the element Q lD comprises: using 
a character encoding scheme to map the public identifier ID to a binary string, 
and hashing the binary string to the element Q lD of Go- 

20. The method of claim 12 wherein G 0 and Gi are derived from an elliptic curve 
defined over a field. 

21. The method of claim 20 wherein e is derived from a Weil pairing on the elliptic 
curve. 

22. The method of claim 20 wherein e is derived from a Tate pairing on the elliptic 
curve. 

23. The method of claim 12 wherein the public identifier ID is an identifier selected 
from the group consisting of the finite combinations of: a personal name, a 
name of an entity, a domain name, an IP address, an email address, a social 
security number, a passport number, a license number, a serial number, a zip 
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code, an address, a telephone number, a URL, a date, a time, a subject, a case, 
a jurisdiction, a state, a country, a credential, a security clearance level, and a 
title. 

24. A method for decrypting ciphertext in an identity-based cryptosystem to pro- 
duce an original message, the method comprising: 

(a) obtaining a set of parameters associated with a cryptographic system, 
wherein the parameters comprise a bilinear map e : G 0 x G x — > G 2 , where 
G 0 , Gi and G 2 are (not necessarily distinct) algebraic groups; 

(b) selecting a public identifier ID comprising information identifying an in- 
tended receiver of the message; 

(c) obtaining a private key d lD G G 0 corresponding to the public identifier ID; 

(d) computing a secret message key g G G 2 using e and the private key d, D ; 
and 

(e) computing the original message from the ciphertext using the message key 
9> 

25. The method of claim 24 wherein computing the original message comprises 
computing a bit mask from the message key, and unmasking the ciphertext 
using the bit mask. 

26. The method of claim 24 wherein computing the original message comprises un- 
masking a random bit string a using a hash of the message key, and unmasking 
the message using a hash of the random bit string a . 

27. The method of claim 24 wherein the private key d lD G G x is derived from Q, D 
and a secret master key s. 

28. The method of claim 24 wherein obtaining the private key d lD G Gi comprises 
providing authentication of identity to a private key generator and receiving the 
private key from the private key generator. 

29. The method of claim 24 wherein obtaining the private key <2 1D G G 0 correspond- 
ing to the public identifier ID comprises obtaining multiple private key portions 
di G Go from multiple corresponding private key generators. 
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30. The method of claim 24 wherein G 0 , Gi and G 2 are cychc groups having orders 
divisible by a prime number q. 

31. The method of claim 24 wherein G 0 and Gi are (not necessarily proper) sub- 
groups of an elliptic curve defined over a field. 

32. The method of claim 31 wherein e is derived from a Weil pairing on the elliptic 
curve. 

33. The method of claim 31 wherein e is derived from a Tate pairing on the elliptic 
curve. 

34. The method of claim 24 wherein the public identifier ID is an identifier selected 
from the group consisting of the finite combinations of: a personal name, a name 
of an entity, a domain name, an IP address, an email address, a social security 
number, a passport number, a license number, a serial number, a zip code, an 
address, a telephone number, a URL, a date, a time, a time interval, a subject, 
a case, a jurisdiction, a state, a country, a credential, a security clearance level, 
and a title. 

35. A method for encrypting a message to produce ciphertext, the method com- 
prising: 

(a) obtaining a set of parameters associated with a cryptographic system, 
wherein the parameters comprise a bilinear map e : Gi x Gi — > G 2 , where 
Gi and G 2 are algebraic groups, and elements P, sP G Gi, where s € Z is 
a secret master key; 

(b) obtaining a public key xP E G x corresponding to an intended receiver, 
where x € Z is a secret of the intended receiver; 

(c) computing a message key g G G 2 using e, sF, the public key xP, and a 
randomly selected rGZ; and 

(d) computing the ciphertext from the message using the message key g. 

36. A method for decrypting a ciphertext to produce message, the method com- 
prising: 

(a) obtaining a set of parameters associated with a cryptographic system, 
wherein the parameters comprise a bilinear map e : Gi x Gi — * G 2 , where 
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d and G 2 are algebraic groups, and elements P y sP G Gi, where s E Z is 
a secret master key; 

(b) computing a message key g E G 2 using e, sP, a private key x and an 
element r\P G Gi received from a sender, where r G Z is a secret of the 
sender; and 

(c) computing the message from the ciphertext using the message key g. 

37. A method for decrypting a ciphertext to produce a message, the method com- 
prising: 

(a) obt ainin g a secret master key s G Z and a set of parameters associated with 
a cryptographic system, wherein the parameters comprise an admissible 
map e : Gi x Gi — > G 2 , where G x and G 2 are algebraic groups; 

(b) obtaining a public key xP G Gi corresponding to an intended receiver of 
the message, where x G Z is a secret of the intended receiver; 

(c) computing a message key s G G 2 using e, the public key xP, the secret 
master key s, and an element rP G G x received from a sender, where r G Z 
is a secret of the sender; and 

(d) computing the message from the ciphertext using the message key g. 

38. A method for encrypting an e-mail message addressed to a receiver, the method 
comprising: 

(a) obtaining a set of parameters associated with a cryptographic system, 
wherein the parameters comprise a bilinear map e : G 0 x Gi -» G 2 , where 
Go, Gi and G 2 axe algebraic groups; 

(b) selecting a public identifier ID comprising an e-mail address of the receiver; 

(c) computing an element Q, D € G 0 corresponding to the public identifier ID; 

(d) computing a message key g e G 2 using e, Q lD and a randomly selected 
secret r G Z; and 

(e) computing an encrypted message from the message using the message key 

39. The method of claim 38 wherein the public identifier ID further comprises an 
identifier selected from the group consisting of: a personal name, a name of 
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an entity, a domain name, an IP address, a social security number, a passport 
number, a license number, a serial number, a zip code, an address, a telephone 
number, a URL, a date, a time, a subject, a case, a jurisdiction, a state, a 
country, a credential, a security clearance level, and a title. 

40. A computer-readable storage medium having stored thereon ciphertext com- 
prising: a first component representing an element computed from a randomly 
selected secret integer of a sender, and a second component representing a mes- 
sage encrypted by the sender using a secret message key, wherein the secret 
message key computed by the sender using a bilinear map, the secret integer, 
and an identity-based public key of an intended receiver. 

41. A method of encrypting a first piece of information to be sent by a sender to 
a receiver, the method comprising: providing a second piece of information; 
generating an encryption key from the second piece of information; and using 
a bilinear map and the encryption key to encrypt at least a portion of the first 
piece of information to be sent from the sender to the receiver. 

42. The method of claim 41 wherein the bilinear map is symmetric. 

43. The method of claim 41 wherein the bilinear map is admissible. 

44. The method of claim 41 wherein the bilinear map is based on a Weil pairing. 

45. The method of claim 41 wherein the bilinear map is based on a Tate pairing. 

46. The method of claim 41 wherein the second piece of information includes infor- 
mation associated with the receiver. 

47. The method of claim 41 wherein the second piece of information comprises an 
e-mail address. 

48. The method of claim 41 wherein the second piece of information includes infor- 
mation corresponding to a time. 

49. The method of claim 41 wherein the second piece of information includes a 
message identifier. 

50. The method of claim 41 wherein the second piece of information includes, a 
credential identifier. 
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51. The method of claim 41 wherein the second piece of information includes a 
subject identifier for the message. 

52. A method of decrypting ciphertext encrypted by a sender with an identity-based 
encryption key associated with a receiver, the method comprising: obtaining a 
decryption key derived from the encryption key; and using a bilinear map and 
the decryption key to decrypt at least a portion of the ciphertext. 

53. The method of claim 52 wherein the bilinear map is symmetric. 

54. The method of claim 52 wherein the bilinear map is admissible. 

55. The method of claim 52 wherein the bilinear map is based on a Weil pairing. 

56. The method of claim 52 wherein the bilinear map is based on a Tate pairing. 

57. The method of 52 further comprising: obtaining the ciphertext prior to obtain- 
ing the decryption key. 

58. The method of 52 wherein obtaining the decryption key comprises sending a 
request to a private key generator, wherein the request comprises information 
sent by a sender together with the ciphertext. 

59. A method of generating a decryption key corresponding to an encryption key, 
wherein the encryption key is based on a first piece of information, the method 
comprising: providing an algebraic group having a group action; providing a 
master key; generating the encryption key based on the first piece of informa- 
tion; and generating the decryption key based on the group action applied to 
the master key and the encryption key. 

60. The method of claim 59 wherein the algebraic group is defined by at least a 
portion of an elliptic curve. 

61. The method of 59 wherein the first piece of information comprises information 
associated with an entity. 

62. The method of 59 wherein the first piece of information comprises an e-mail 
address. 
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63. The method of 59 wherein the decryption key is generated in response to a re- 
quest from a receiver of an encrypted message, and the first piece of information 
includes a message identifier. 

64. The method of 59 wherein the decryption key is generated in response to a 
request from a receiver and the first piece of information includes an attribute 
associated with the receiver. 

65. The method of 59 wherein the first piece of information includes information 
corresponding to a time. 

66. The method of claim 59 wherein the first piece of information includes infor- 
mation corresponding to a time, wherein the decryption key is generated on a 
user system, and wherein the method further comprises storing the decryption 
key on a target system. 

67. The method of claim 59 wherein the first piece of information includes infor- 
mation corresponding to a responsibility; and wherein the method further com- 
prises providing respective decryption keys to an entity associated with the 
responsibility. 

68. The method of claim 59 further comprising receiving a request for the decryption 
key from a receiver, and providing the key to the receiver if the receiver is 
authenticated. 

69. The method of claim 59 wherein the master key is a share of a shared master 
key. 

70. A method of providing system parameters for a cryptographic system compris- 
ing: providing a system parameter representing an algebraic group Gi and an 
algebraic group G 2 ; and providing a system parameter representing a bilinear 
map e mapping pairs of elements of Gi to elements of G 2 . 

71. The method of 70 wherein the bilinear map is symmetric. 

72. The method of 70 wherein the bilinear map is based on a Weil pairing. 

73. The method of 70 wherein the bilinear map is based on a Tate pairing. 
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74. The method of 70 wherein the algebraic group G\ is derived from at least a 
portion of an elliptic curve. 

75. The method of claim 70 wherein the algebraic group Gi is derived from at least 
a portion of the elliptic curve y 2 = x 3 + 1. 

76. A method for communicating between a sender and a receiver, the method 
comprising: encrypting a message to be sent from the sender to the receiver 
using an encryption key derived in part from a message identifier; sending the 
encrypted message from the sender to the receiver; receiving a request from 
the receiver for a decryption key, wherein the request includes the message 
identifier; after receiving the request for the decryption key, generating receipt 
information indicating that the receiver has received the message, and providing 
the decryption key to the receiver. 

77. The method of claim 76 comprising: sending to the sender the generated receipt 
information. 

78. The method of claim 76 wherein the encryption key is derived in part from an 
identifier associated with the sender. 

79. The method of claim 76 wherein the encryption key is derived in part from an 
identifier associated with the receiver. 

80. A method for communicating between a sender and a receiver, the method com- 
prising: obtaining identifying information of the receiver; specifying a credential 
required for the receiver to gain a decryption key; deriving an encryption key 
from the identifying information of the receiver and the credential; encrypting 
a message using the encryption key and a bilinear map; sending the encrypted 
message from a sender to the receiver; receiving a request from the receiver 
of the message for a decryption key; determining whether the receiver has the 
credential; if the receiver has the credential, providing the decryption key to the 
receiver; decrypting the encrypted message using the decryption key and the 
bilinear map. 

81. A system for encrypting a message in an identity-based cryptosystem to produce 
corresponding ciphertext, the system comprising: 
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(a) a resource that obtains a set of parameters associated with a cryptographic 
system, wherein the parameters comprise a bilinear map e : Go x Gi — > G2, 
where Go, Gi and G 2 are (not necessarily distinct) algebraic groups; 

(b) a resource that selects a public identifier ID comprising information iden- 
tifying an intended receiver of the message; 

(c) a resource that computes an element Q, D E Go from the public identifier 
ID; 

(d) a resource that computes a secret message key g £ G2 using e and <2, D ; and 

(e) a resource that computes the ciphertext from the message using the mes- 
sage key g. 

82. An electronic message comprising ciphertext computed from a message and a 
message key wherein g is generated by: 

(a) obtaining a set of parameters associated with a cryptographic system, 
wherein the parameters comprise a bilinear map e : Go xGi — ► G2, where 
Go, Gi and G2 are (not necessarily distinct) algebraic groups; 

(b) selecting a public identifier ID comprising information identifying an in- 
tended receiver of the message; 

(c) computing an element Q )D € Go from the public identifier ID; and 

(d) computing the message key g G G2 using e and Q ]D . 
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